b'  Report No. D-2008-138          September 30, 2008\n\n\n\n\n   Defense Information Systems Agency Controls\n  Over the Center for Computing Services Placed in\nOperation and Tests of Operating Effectiveness for the\n    Period April 1, 2007, through March 31, 2008\n\x0cAdditional Information and Copies\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service prepared this report. If you have questions or would\nlike to obtain additional copies of this report, contact Ms. Patricia C. Remington at\n(703) 601-5815 (DSN 329-5815) or Mr. Richard Ng at (703) 601-5805 (DSN 329-5805).\n\nSuggestions for Audits\nTo suggest ideas for or to request future audits, contact the Office of the Deputy Inspector\nGeneral for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703) 604-8932. Ideas\nand requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                       400 Army Navy Drive (Room 801)\n                       Arlington, VA 22202-4704\n\x0c                                   INSPECTOR GENERAL\n                                  DEPARTMENT OF DEFENSE\n                                   400 ARMY NAVY DRIVE\n                              ARLINGTON, VIRGINIA 22202-4704\n\n\n\n                                                                     September 30, 2008\n\nMEMORANDUM FOR UNDER SECRE TARY OF DEFENSE\n                 (COMPTROLLER)/CHIEF FINANCIAL OFFICER\n              DIRECTOR, DEFENSE INFORMATION SYSTEMS\n                 AGENCY\n\n\nSUBJEC T: Report on Defense Information Systems Agency Controls Over the Center\n          for Computing Services Placed in Operation and Tests of Operating\n          Effectiveness for the Period April 1,2007, tlnough March 31, 2008\n          (Report No . D-2008-138)\n\nWe are providing this report for your information and use No written response to this\nreport is required.                                            .\n\nWe appreciate the courtesies extended to the staff Please direct questions to\nMs.. Patricia C. Remington at (703) 601-5815 (DSN 329-5815) or Mr . Richard Ng at\n(703) 601-5805 (DSN 329-5805) The team members are listed inside the back cover\n\n\n\n                                            !~a\n                                            Patricia A. Marsh, CPA\n                                                                   mJ\n                                            Assistant Inspector General\n                                            Defense Financial Auditing Service\n\x0c\x0cTable of Contents\n\nForeword                                                             i\n\nSection I: Independent Service Auditor\xe2\x80\x99s Report                      1\n\nSection II: Information Provided by DISA                             7\n\n        Overview of Operations                                       9\n        Overview of the Control Environment                         14\n        Information and Communication                               22\n        Control Objective and Related Control Activities            23\n        User Control Consideration                                  23\n\nSection III: Control Objectives, Control Techniques, and Tests of\n             Operating Effectiveness                                27\n\n        Security Program                                            29\n        Risk Assessment                                             30\n        Security Plans                                              31\n        Security Management                                         32\n        Personnel                                                   34\n        Resource Classification                                     39\n        Account Management                                          42\n        Physical Security                                           44\n        Logical Access Controls                                     47\n        Networks and Telecommunications                             50\n        Access Monitoring                                           52\n        Change Control                                              54\n        Service Continuity                                          58\n\nSection IV: Supplemental Information Provided by DISA               65\n\nScope                                                               69\n\nAcronyms and Abbreviations                                          71\n\nReport Distribution                                                 73\n\x0c\x0c                                         FOREWORD\n\nThis report is intended for use by Defense Information Systems Agency (DISA) management, its\nuser organizations, and the independent auditors of its user organizations.\n\nThe Department of Defense (DoD) Office of Inspector General is implementing a long-range\nstrategy to conduct audits of DoD financial statements. The Chief Financial Officers Act of\n1990, as amended, mandates that agencies prepare and conduct audits of financial statements.\nThe reliability of information processed at the DISA sites directly impact the ability of DoD to\nproduce reliable, and ultimately auditable, financial statements, which is key to achieving the\ngoals of the Chief Financial Officers Act.\n\nThis report focuses on the DISA Center for Computing Services (CS). CS provides computer\nprocessing for the entire range of combat support functions, including transportation, logistics,\nmaintenance, munitions, engineering, acquisition, finance, medicine, and military personnel\nreadiness. CS offers computing services on CS and customer-owned platforms, including\ncomputer operations, data storage, systems administration, security management, capacity\nmanagement, system engineering, Web and portal hosting, architectural development, and\nperformance monitoring.\n\nThis examination assessed DISA-defined controls over the CS environment. The report provides\nan opinion on the fairness of the DISA presentation of its description of controls, the suitability\nof the design of controls, and the operating effectiveness of key controls that are relevant to\naudits of a user organization\xe2\x80\x99s financial statements. As a result, this examination may preclude\nthe need for additional audits of general controls, such as those that user organizations previously\nperformed to plan or conduct financial statement and performance audits. From this\nexamination, we will also provide a separate audit report with recommendations to management\nfor correcting identified internal control deficiencies.\n\nEffective internal control is a critical and required element to achieve reliable information for\nmanagement reporting and decision making. The concept of adequate internal control is the\nfundamental objective of this American Institute of Certified Public Accountants Statement on\nAuditing Standards No. 70 Report. Internal control is a process designed by management to\nprovide reasonable assurance that the activity achieves its objectives related to the reliability of\nfinancial reporting, the effectiveness of operations, and compliance with applicable significant\nlaws and regulations. DISA has implemented internal control standards for the CS environment\nthat require strict compliance with DoD and DISA policies. The level of DISA compliance with\nspecific aspects of these regulations has a direct impact on the accompanying description of\ninternal controls and related control test results.\n\n\n\n\n                                                  i\n\x0c\x0cSection I: Independent Service Auditor\xe2\x80\x99s Report\n\n\n\n\n                       1\n\x0c2\n\x0c\x0cAs discussed in the accompanying description of controls, CS did not have control procedures in\nplace to ensure that audit trails were being maintained and reviewed. This resulted in controls\nnot being suitably designed to achieve Control Objective 11, \xe2\x80\x9cControls provide reasonable\nassurance that access is monitored, suspected security violations are investigated, and\nappropriate remedial action is taken.\xe2\x80\x9d\n\nIn our opinion, the accompanying description of the aforementioned controls presents fairly, in\nall material respects, the relevant aspects of controls that had been placed in operation as of\nMarch 31, 2008. Also, in our opinion, except for the deficiencies in the design of the controls\nand their effect on the related control objectives described in the preceding paragraphs, the\ncontrols, as described, are suitably designed to provide reasonable assurance that the specified\ncontrol objectives would be achieved if the described controls were complied with satisfactorily\nand user organizations applied the controls contemplated in the design of the CS controls.\n\nIn addition to the procedures we considered necessary to render our opinion as expressed in the\nprevious paragraph, we applied tests to specific controls, listed in our description of the tests of\noperating effectiveness, to obtain evidence about their effectiveness in meeting the related\ncontrol objectives, described in Section III of this report, during the period from April 1, 2007, to\nMarch 31, 2008. The specific controls and the nature, timing, extent, and results of the tests are\nlisted in our description of the tests of operating effectiveness. This information has been\nprovided to user organizations of CS and to their auditors to be taken into consideration, along\nwith information about the internal control at user organizations, when making assessments of\ncontrol risk for user organizations.\n\nIn our opinion the controls that were tested, as presented in our description of the tests of\noperating effectiveness, were operating with sufficient effectiveness to provide reasonable, but\nnot absolute, assurance that the control objectives specified in our description of those tests were\nachieved during the period from April 1, 2007, to March 31, 2008.\n\nThe relative effectiveness and significance of specific controls over CS and their effect on\nassessments of control risk at user organizations are dependent upon their interaction with\ncontrols and other factors present at individual user organizations. We have performed no\nprocedures to evaluate the effectiveness of the controls at individual user organizations.\n\nThe description of the controls over CS is as of March 31, 2008, and information about tests of\nthe operating effectiveness of specific controls covers the period from April 1, 2007, to March\n31, 2008. Any projection of such information to the future is subject to the risk that, because of\nchange, the description may no longer portray the controls in existence. The potential\neffectiveness of specific controls at the service organization is subject to inherent limitations and,\naccordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any\nconclusions, based on our findings, to future periods is subject to the risk that changes made to\nthe system or controls, or the failure to make needed changes to the system or controls, may alter\nthe validity of such conclusions.\n\n\n\n\n                                                  4\n\x0c\x0c6\n\x0cSection II: Information Provided by DISA\n\n\n\n\n                   7\n\x0c8\n\x0c                                        2007 SAS-70\n              Statement on Auditing Standards\n                                            Section II\n\n\n\nA. Overview of Operations\n\nDefense Information Systems Agency\n\nDefense Information Systems Agency (DISA) is a combat support agency responsible for\nplanning, engineering, acquiring, fielding, and supporting global net-centric 1 solutions to serve\nthe needs of the President, Vice President, the Secretary of Defense, and other Department of\nDefense (DoD) Components, under all conditions of peace and war. DISA is the provider of\nglobal net-centric solutions for the nation\'s war fighters and all those who support them in the\ndefense of the nation. The core services are Acquisition, Enterprise Services, Network\nOperations, Network Services, Net-Centric Enterprise Services, and Global Information Grid\n(GIG) Bandwidth Expansion. The Field Security Office (FSO), under the GIG Operations\nDirectorate, and other DISA organizations are included only as they support Center for\nComputing Services (CS).\n\n\nCenter for Computing Services\n\nCS provides computer processing for the entire range of combat support functions, including\ntransportation, logistics, maintenance, munitions, engineering, acquisition, finance, medicine,\nand military personnel readiness. With more than 3,000,000 users, CS operates over 1,400\napplications in 18 geographically separate facilities utilizing more than 35 mainframes and more\nthan 6,000 servers. The supported applications: 1) provide command and control of war fighting\nforces, 2) facilitate mobility of the war fighters through maintenance of the airlifted and tanker\nfleets, 3) provide war fighter sustainment through resupply and reorder, and 4) manage the\nmedical environment and patient care.\n\n\n\n\n1\n A continuously evolving, complex community of people, devices, information and services interconnected by a\ncommunications network to achieve optimal benefit of resources and better synchronization of events.\n\n\n                                                       9\n\x0cCS features diverse locations, a defense-in-depth philosophy, and dual high-capacity Defense\nInformation Systems Network (DISN) connectivity. CS also utilizes automated systems\nmanagement to control computing resources and realize economies of scale. CS has adopted\nassured computing philosophies and has implemented initiatives in the Unisys and IBM\nmainframe environments to ensure that information and mission-critical applications are\ncontinuously available to customers. Such initiatives include facility upgrades, improved\nsoftware and equipment availability, diverse and redundant communications, and measures to\nremotely replicate data. Assured computing, coupled with the ability to rapidly increase\nprocessing and storage capacity via utility contracts, enables DISA to provide the availability and\nsurge capabilities that customers require.\n\nCS supports computing operations on both DISA-owned and customer-owned platforms.\nComputing services include computer operations, data storage, systems administration, security\nmanagement, capacity management, system engineering, web and portal hosting, architectural\ndevelopment, and performance monitoring. Computing services are provided by a highly skilled\nworkforce and performed in state-of-the-art computing facilities strategically located throughout\nthe Continental United States (CONUS); Vaihingen, Germany; and Pearl Harbor, Hawaii. DISA\nfacilities are operational 24 hours a day, 7 days a week, 365 days a year, and support both\nunclassified and classified computing environments. Services are available to the Services,\nDefense agencies, and combatant commanders. Chart 1 provides the organizational structure of\nCS.\n\n\n                                                        Defense Information Systems Agency\n                                                                        Computing Services\n\n                                                                                 Director                        Technical\n                                                                                                                 Technical Director\n                                                                                                                           Director\n\n                                                                                                                  Office\n                                                                                                                   Office of\n                                                                                                                          of the\n                                                                                                                              the CIO\n                                                                                                                                  CIO\n                                                                      Technical Program Director\n                                              Processor LOB                                                         Chief\n                                                                                                                     Chief of\n                                                                                                                            of Staff\n                                                                                                                               Staff\n                                                                                                                  Strategic\n                                                                                                                  StrategicPlanning\n                                                                                                                             Planning\n                                              Services LOB                    Deputy Director\n                                                                                                                  Management\n                                              Storage LOB                     Military Deputy                    Support Division\n\n\n                                                                                                             Special\n                                                                                                             Special Assistant\n                                                                                                                     Assistant for\n                                                                                                                                for\n                                                                                                            Performance\n                                                                                                            Performance & & Metrics\n                                                                                                                            Metrics\n\n\n\n          Resource Management              Customer                            Operations                Logistics Division                   Infrastructure\n                Division               Management Division                      Division                                                    Management Division\n\n\n\n\n                 Defense Enterprise                 Defense Enterprise                  Defense Enterprise                     Defense Enterprise\n                 Computing Center                   Computing Center                    Computing Center                       Computing Center\n                  Mechanicsburg,                 Oklahoma City, Oklahoma               Montgomery, Alabama                        Ogden, Utah\n                    Pennsylvania\n\n\n\n          Defense Enterprise            Defense Enterprise            Defense Enterprise                Defense Enterprise                 Defense Enterprise\n           Computing Center             Computing Center              Computing Center                  Computing Center                   Computing Center\n          Vaihingen,\n          Vaihingen, Germany           Pearl Harbor, Hawaii          ISC San Antonio, TX               ISC Columbus, Ohio                  St. Louis, Missouri\n\n\n\n          Defense Enterprise           Defense Enterprise               Defense Enterprise                 Defense Enterprise                 Defense Enterprise\n          Computing Center             Computing Center                 Computing Center                   Computing Center                   Computing Center\n           PE Denver, CO              PE Chambersburg PA               PE Warner Robins GA                  PE San Diego CA                   PE Huntsville, AL\n\n                       Defense Enterprise                                                                                      Defense Enterprise\n                                                         Defense Enterprise                 Defense Enterprise                                          As of 30 April\n                       Computing Center                                                                                        Computing Center\n                                                         Computing Center                   Computing Center                                            2008\n                        PE Jacksonville, FL                                                                                     PE Dayton, OH\n                                                         PE Rock Island, IL                  PE Norfolk, VA                                             OPR: GS4\n\n\n\n\n                                                                           Chart 1\n\n\n                                                                                10\n\x0cHeadquarters. The primary headquarters for DISA CS is located in Falls Church, VA. There\nare other headquarters elements located in Chambersburg, PA; Denver, CO; Oklahoma City, OK\nand Pensacola, FL. CS is organized into the following five primary divisions.\n\nResource Management Division. The Resource Management Division (RMD) serves as the\nenterprise manager for managerial accounting, budget formulation, rate development, and\nfinancial execution management. RMD performs such functions as: budget formulation and\nexecution, workload customer invoicing, fund certification of acquisition documents, capital\nbudgeting, and execution and preparation of the annual customer planning estimates. RMD is\nlocated at four primary locations: Jacksonville, FL; Chambersburg, PA; Denver, CO; and\nPensacola FL.\n\nCustomer Management Division. The Customer Management Division (CMD) provides the\ntotal life cycle management of all customer workload support including requirements definition,\nengineering, proposal development, acquisition, implementation, Service Level Agreements\n(SLAs), as well as billing and invoicing. The CMD also performs the full range of customer\nrelation functions for CS and coordinates customer related issues with other DISA organizations.\nCMD is a virtual organization with personnel located in Falls Church, VA; Denver, CO;\nChambersburg, PA; Mechanicsburg, PA; Oklahoma City, OK; Montgomery, AL; Ogden, UT;\nand San Antonio, TX.\n\nOperations Division. The Operations Division advises the Director of CS on all principal\noperations and has the overall responsibility for issuing operations and security standards,\npolicies, plans, standard business processes, and standard operating procedures. This division:\n\n   \xe2\x80\xa2   tasks other CS elements as required to achieve the CS mission;\n\n   \xe2\x80\xa2   manages and assesses operations and security of all assigned DISA information\n       processing, communications, and network systems;\n\n   \xe2\x80\xa2   provides appropriate assets in response to contingencies and exercises;\n\n   \xe2\x80\xa2   oversees the overall operational performance and effectiveness of the Defense\n       Information Infrastructure (DII) efforts implemented within CS as well as assigned\n       systems;\n\n   \xe2\x80\xa2   develops and maintains CS programs for configuration management, executive software,\n       capacity management, incoming projects, and contingency operations; and\n\n   \xe2\x80\xa2   manages the Network Operations for CS and integrates it into the DISA Network\n       Operations program.\n\nThe Operations Division is organized in three layers \xe2\x80\x93 headquarters-level policy and plans,\nheadquarters-level centralized operations, and direct operations. The direct operations layers\ninclude the operating sites and the Communications Control Centers (CCCs).\n\n\n\n                                               11\n\x0c           Operating Sites. The operating sites are called Defense Enterprise Computing Centers\n           (DECCs). The DECCs located outside the continental United States are DECC Pacific in\n           Pearl Harbor, Hawaii and DECC Europe in Stuttgart, Germany. They provide processing\n           services for DoD elements within their theater of operations. The DECCs in CONUS are\n           divided into the following mission configurations:\n\n                   1) System Management Centers (SMCs). The primary responsibility of each\n                   SMC is systems management and customer support functions for the mainframe\n                   and server computing environments. The SMCs are located in Mechanicsburg,\n                   PA; Montgomery, AL; Ogden, UT and Oklahoma City, OK.\n\n                   2) Infrastructure Service Centers (ISCs). The ISCs perform system\n                   management for service-based applications and other specialized fielding efforts\n                   from CS customers. The ISCs are located at Columbus, OH, St. Louis, MO and\n                   San Antonio, TX.\n\n                   3) Processing Elements (PEs). The PEs serve as touch labor 2 or \xe2\x80\x9clights dim\xe2\x80\x9d\n                   components, facility management, hardware support, physical security, touch\n                   labor for communication devices, and touch labor for media management are the\n                   primary responsibilities for each PE. The PEs are located in Chambersburg, PA;\n                   Dayton, OH; Denver, CO; Huntsville, AL; Jacksonville, FL; Norfolk, VA; Rock\n                   Island, IL; San Diego, CA and Warner Robins, GA.\n\n                   4) Central Communication Centers (CCCs). The primary responsibility of\n                   CCCs are to manage all classified and unclassified network devices. The CCCs\n                   are located at SMCs in Montgomery, AL and Oklahoma City, OK.\n\nLogistics Division. The Logistics Division supports the Director of CS on all logistics,\nacquisition, maintenance, and property management activities and provides command direction\nand guidance to execute integrated logistics support for assigned activities and systems. This\ndivision has offices in Chambersburg, PA, Denver, CO and liaison officers at each SMC.\n\nInfrastructure Management Division (IMD). The IMD plans, engineers and maintains the\nfundamental, non-revenue producing elements required by the DECCs to perform operational\nprocessing in support of customer applications. This division:\n\n      \xe2\x80\xa2    provides planning, acquisition, configuration, and quality/risk management for\n           infrastructure initiatives;\n\n      \xe2\x80\xa2    provides Level III communications troubleshooting and complex problem management\n           for the enterprise;\n\n      \xe2\x80\xa2    develops tactical plans, and engineers/implements solutions for future technologies;\n\n\n\n\n2\n    Touch labor refers to personnel providing physical on-site work needed when systems are remotely managed.\n\n\n                                                         12\n\x0c   \xe2\x80\xa2   engineers and deploys a standard communications, hardware, software, and enterprise\n       systems management architecture to ensure interoperability; and\n\n   \xe2\x80\xa2   provides tactical and long-range facilities planning for DISA processing sites.\n\nThis division has offices in Falls Church, VA, Denver, CO, Pensacola, FL, and Chambersburg,\nPA.\n\nInformation Assurance Support\n\nAlmost all DISA elements interact with CS to some degree. The following DISA elements have\na direct relationship with CS on Information Assurance (IA).\n\nChief Information Officer. The Chief Information Officer (CIO) provides staff support in\naccomplishing Information Resource Management (IRM) duties, mandated by the Clinger-\nCohen Act. The CIO develops IRM and Information Technology (IT) policies, performs IT\nmanagement, strategic planning, IT investment criteria and incorporates and disseminates\narchitecture and standards guidance. The CIO advises on acquisitions for DISA IT and\ncoordinates with the Office of the Secretary of Defense on IRM, IT, and IT acquisition matters.\nThe CIO is the Designated Approving Authority (DAA) for DISA-owned and operated internal\nIT enclaves and networks. The CIO manages the agency-wide programs for Privacy Act and\nrecords management, manages implementation of electronic business and electronic commerce\nfor DISA, and provides support for DoD Information Assurance Awareness training.\n\nField Security Operations. FSO provides functional Information Assurance Manager (IAM)\nservices to CS. The mission of FSO is to provide information systems, network security\nproducts, and direct funding and reimbursable services throughout DoD, including the combatant\ncommands, the Services, and Defense agencies. The FSO supports the National Command\nAuthority, combatant commanders, Joint Task Force-Global Network Operations (JTF-GNO),\nthe Services, and Defense agencies through Global Network Operations, Computer Emergency\nResponse Capabilities, and Information System Security Services. The FSO provides such\nsupport by directing, managing, and protecting critical elements of the GIG. In this capacity, the\nFSO is the Certifying Authority for the DISA DAA. The FSO:\n       \xe2\x80\xa2   develops, implements, and maintains security guidance and processes;\n       \xe2\x80\xa2   conducts full scope security reviews;\n       \xe2\x80\xa2   provides security training, security training products, and system administrator (SA)\n           certification; and\n       \xe2\x80\xa2   implements security architecture and information assurance (IA) tools\n\nManpower, Personnel, and Security\nThe Manpower, Personnel, and Security (MPS) Directorate provides plans, programs, and\noversight worldwide in the mission areas of civilian personnel, military personnel, human\nresource development, organization and manpower program administration, payroll, travel,\ntransportation, mail management, visual information, security, and command information. In\naddition to worldwide responsibilities, MPS is responsible for providing direct service support to\nall DISA activities in the National Capital Region.\n\n\n                                               13\n\x0cThe Civilian Personnel Division, within MPS, advises and assists the Director of DISA in\nformulating, executing, and evaluating civilian personnel plans and programs; provides technical\nguidance and assistance to the DISA managers and employees; and oversees DISA civilian\npersonnel management activities worldwide.\n\nThe DISA Security Division, within MPS, provides security policy, guidance, and oversight\n(except for Information Systems Security) to DISA activities worldwide, using a multi-\ndisciplined and risk management approach. This division also provides traditional security\nassistance in information, personnel, physical and special security reviews, and assessments in\nsupport of the DISA Security Certification and Accreditation process.\n\nProcurement Directorate\nThe Procurement Directorate has four contracting organizations. One of the four is the\nDefense Information Technology Contracting Organization located at Scott Air Force Base,\nIllinois. It supports CS and is responsible for the procurement of commercial information\ntechnology services and equipment required by DoD agencies and other U.S. Government\nagencies.\n\nB. Overview of Control Environment\n\nIA controls are layered and are applied through procedures and physical applications. Controls\nare employed to protect resources from theft, loss, damage, inadvertent disclosure, compromise,\nand deliberate attempts to gain access by forced or surreptitious means. Protection is\naccomplished through the employment of countermeasures to deter, delay, detect, assess, and\nrespond to unauthorized activity.\n\nCS has the responsibility of providing core services and meeting the CS customer expectations\nthrough professional and consistent operations services and standard implementation of DoD\nregulations and DoD policies. CS is responsible for continual refinement and analysis of\noperations performance metrics and practices to identify and implement opportunities for\nimprovement in the execution of core operations services. CS is also responsible for maintaining\nthe integrity of the security posture of the operations environment.\n\nSecurity Management\n\nSecurity Review Program Guidance. In general, security review programs focus on\nmanagement actions that establish the DAA and the processes that support the accreditation of an\nAutomated Information System (AIS). DoD implemented the Office of Management and\nBudget (OMB) Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources\xe2\x80\x9d, February 8,\n1996, requirements for a security program through DoD Instruction 8510.01, \xe2\x80\x9cDoD Information\nAssurance Certification and Accreditation Process (DIACAP),\xe2\x80\x9d 28 November 2007, and other\nDoD policies. DISA Instruction 630-230-19, \xe2\x80\x9cAutomated Data Processing Information\nAssurance\xe2\x80\x9d, 2 March 2007, prescribes policy and assigns responsibilities for implementing,\nmanaging, and maintaining the DISA Information Systems Security Program and implements the\nDoD programs, including DIACAP and designation of DAA. The DIACAP and resultant\n\n\n                                               14\n\x0cCertification and Accreditation (C&A) program are major components of DISA\xe2\x80\x99s security\nreview program.\n\nSecurity Control Program at the DECCs. DISA CS Security Handbook; the Information\nAssurance Vulnerability Alert Handbook; and Security Technical Implementation Guidelines\n(STIGs), primarily cover the OMB, DoD, and DISA requirements for the primary operational-\nlevel guidance for implementation of AIS security controls. The DECC security management\norganization structure and general business practices support the security program, including\nreview of security controls.\n\nSecurity Roles and Responsibility\n\nDISA DAA/CIO. The DISA DAA/CIO retains the overall responsibility for the C&A as it\npertains to the DIACAP process of the CS sites.\n\nCS IAM. The CS IAM function/services are contracted to and performed by the FSO. The CS\nIAM provides guidance and direction to field units and advice to CS on IA, communications, and\nemanations security. The CS Chief of Operations and the CS Chief of Security oversee and\nensure delivery of CS IAM functions/services by FSO.\n\nCS Security Manager (SM). The CS SM function/services are provided to CS by Manpower,\nPersonnel and Security (MPS). The functional CS SM provides guidance and direction to field\nunits and advice to physical, industrial, personnel, and information security as well as security\nmanagement. The CS Chief of Operations and the CS Chief of Security oversee and ensure\ndelivery of CS SM functions/services by MPS.\n\nSite IAM. The Site IAM develops and maintains an organization or DoD information system-\nlevel IA program that identifies IA architecture, requirements, objectives, and policies;\npersonnel; and processes and procedures. Depending upon the site, the IAM reports to the Chief\nof Security, the Deputy Director, or the Director of the site.\n\nSite Information Assurance Officer (IAO). The site IAO assists the IAM in meeting the duties\nand responsibilities outlined above. The site IAO reports to the IAM of the site.\n\nRisk Assessments\n\nCS implemented a risk assessment process to identify and manage risks that could affect\ncustomer organizations. This process requires a formal risk assessment, which is part of the\nSystem Security Authorization Agreement (SSAA). The process also includes an external and\ninternal compliance validation and procedures to maintain an acceptable level of risk.\n\nFormal Risk Assessment. The FSO prepares the formal risk assessment for each CS site. The\nthreat is determined by validating countermeasures that have been implemented to determine the\nresidual risk. Various tools are used to validate the effectiveness of the implemented\ncountermeasures, including the Security Readiness Review (SRR) and the vulnerability scan\nused to determine the effectiveness of the network, systems, physical, personnel, information,\nand industrial security procedural countermeasures. These can be conducted by the FSO or as\nself-assessments performed by site personnel. Environmental and facility reviews conducted by\n\n\n                                                15\n\x0cCS Facility Engineers are used to determine the effectiveness of facility and environmental\ncountermeasures. Various Federal Emergency Management Agency (FEMA) web sites are used\nto determine weather, climatic, and natural threats.\n\nThe IAMs for DECCs are responsible for reviewing and identifying pen and pencil changes to\nrisk assessment documents on an annual basis. If there are no changes noted, the formal risk\nassessment document is not re-dated or re-signed. The CS IAM is responsible for reviewing and\nmaking changes to the DECC PEs risk assessment documents as they occur. The formal risk\nassessment is a required appendix to the SSAA under the DIACAP by DISA DAA who is the\nDISA CIO. A complete formal review and documented risk assessment is only conducted every\nthree years.\n\nMission Assurance Category. The Mission Assurance Category (MAC) reflects the importance\nof information relative to the achievement of DoD goals and objectives, particularly the war\nfighter combat mission. MAC levels are the basis for determining availability and integrity\ncontrol requirements. DoD has three defined MAC levels.\n\n       \xe2\x80\xa2 MAC I. Systems handling information that is vital to the operational readiness or\n       mission effectiveness of deployed and contingency forces in terms of both content and\n       timeliness. The consequences of loss of integrity or availability of a MAC I system are\n       unacceptable and could include the immediate and sustained loss of mission\n       effectiveness. MAC I systems require the most stringent protection measures.\n\n       \xe2\x80\xa2 MAC II. Systems handling information that is important to the support of deployed\n       and contingency forces. The consequences of loss of integrity are unacceptable. Loss of\n       availability is difficult to deal with and can only be tolerated for a short time. The\n       consequences could include delay or degradation in providing important support services\n       or commodities that may seriously impact mission effectiveness or operational readiness.\n       MAC II systems require additional safeguards beyond best practices to ensure assurance.\n\n       \xe2\x80\xa2 MAC III. Systems handling information that is necessary for the conduct of day-to-\n       day business, but does not materially affect support to deployed or contingency forces in\n       the short-term. The consequences of loss of integrity or availability can be tolerated or\n       overcome without significant impacts on mission effectiveness or operational readiness.\n       The consequences could include the delay or degradation of services or commodities\n       enabling routine activities. MAC III systems require protective measures, techniques, or\n       procedures generally commensurate with commercial best practices.\n\nCompliance Validation\n\nDISA compliance validation is conducted externally by the FSO and within CS using the FSO\nToolkits for compliance with the GS4 Letter of Instruction (LOI) 08-03, \xe2\x80\x9cMandatory Information\nAssurance Guidance\xe2\x80\x9d, June 6, 2008. The results from the FSO review are maintained in the\nVulnerability Management System (VMS). FSO categorizes the vulnerabilities into four\ncategories, based on severity.\n\n\n\n\n                                               16\n\x0c   \xe2\x80\xa2   Finding Category I. Any vulnerability that may result in a total loss of information or\n       which provide an unauthorized person or software immediate access into a system, gains\n       privileged access, bypasses a firewall, or results in a denial of service.\n\n   \xe2\x80\xa2   Finding Category II. Any vulnerability that provides information that has a high\n       potential of giving access to an unauthorized person, or provides an unauthorized person\n       the means to circumvent security controls.\n\n   \xe2\x80\xa2   Finding Category III. Any vulnerability that provides information that potentially could\n       lead to an unauthorized access.\n\n   \xe2\x80\xa2   Finding Category IV. Any vulnerability that is all other possibilities that contributes to\n       degraded security.\n\nExternal Compliance Validation\n\nThe external compliance validation is conducted by the FSO. Because of the number and size of\nthe sites, a complete review of each site cannot be made on an annual basis. The complete\nreview is conducted during a three-year cycle to coincide with the formal accreditation cycle.\nPer DIACAP, accreditation decisions are made for a maximum of a three-year period. Annual\nreviews conducted by the FSO are known as Information Assurance Reviews (IARs). The IAR\nincludes a review of the output from the FSO Toolkits, documentation in VMS, manual\nchecklists where toolkits are not available, and a vulnerability or penetration scan. All IAR\nresults are entered into VMS and used by the DISA CIO for the accreditation decision. There are\nseveral components to the IAR:\n\n   \xe2\x80\xa2   Traditional Review. The traditional review determines whether policies and procedures\n       on physical, information, personnel, industrial, communications, and emanations security\n       comply with DoD regulations and DISA instructions. It also validates whether policies\n       and procedures are correctly and adequately implemented.\n\n   \xe2\x80\xa2   Technical Review. The technical review uses a combination of automated and manual\n       checks for network devices, operating systems, databases, and web applications to verify\n       that configuration settings are In Accordance With (IAW) the applicable STIGs.\n\n   \xe2\x80\xa2   Vulnerability Scans. The vulnerability scan process utilizes a commercial automated\n       scanning tool that checks for known vulnerabilities. The scan is a two-step process. The\n       first step is external to the perimeter of the enclave and determines the robustness of\n       perimeter defenses. The second step is internal to the perimeter of the enclave and\n       determines the robustness of the defense of each device within the enclave. IAW\n       Compliance Task Order (CTO) 08-005, internal scan results are imported into VMS on a\n       monthly basis.\n\nInternal Compliance Validation\n\nThe internal validation process is enforced via the Mandatory Information Assurance Guidance,\nGS4 LOI 08-03. This process ensures devices are approved prior to connecting to the network,\n\n\n                                               17\n\x0cusing the FSO Toolkits and checklists as a self-assessment. These results are imported or\nentered into VMS.\n\nVulnerability Management System\n\nVMS is a DoD vulnerability management system for Information Assurance Vulnerability\nManagement (IAVM) and STIG compliance. The IAVM portion is used to track\nacknowledgement and compliance with alerts, bulletins, and technical advisories as directed by\nChairman of Joint Chiefs of Staff Instruction 6510-01D, \xe2\x80\x9cInformation Assurance (IA) and\nComputer Network Defense.\xe2\x80\x9d Information for all assets is registered in VMS: system details,\noperating systems, owner, and managing site.\n\nThere is a Plan of Action and Milestone (POA&M) process for vulnerabilities that cannot be\nremediated within the established timeframe. The CS IAM reviews the POA&Ms and\nconcurs/non-concurs. The CIO has the final approval for any POA&Ms. VMS also notifies the\nmanaging System Administrators (SAs) via email of any newly released IAVMs. The STIG\nportion identifies vulnerabilities, and tracks remediation of those vulnerabilities.\n\nGIG Monitoring\n\nThere are network Intrusion Detection Systems (IDSs) located on the GIG that monitor standard\nsecurity policy. The GIG network IDSs, monitored by Global Network Security Center (GNSC),\nis (are) known as the Joint Intrusion Detection System (JIDS). The GNSC monitors all JIDS on\nthe GIG within the CONUS. There are various other centers located around the world and all\ncenters feed into a DoD Global Network Operations Center (GNOC). This group identifies any\ninformation threat on an isolated, regional, or global basis. The GNSC notifies all parties of any\ntype of potential unauthorized attack or access, and works with the managing CCC and site\nInformation Assurance (IA) staff to help identify, isolate, investigate, and remediate potential\nthreats.\n\nCS Enclave Perimeter Monitoring\n\nAll CS enclave perimeters have a layered defense that consists of Access Control Lists (ACLs)\non the perimeter router, firewalls, and a network IDS. The security staff located in the CCCs\ndevelops the security profiles for the enclave perimeter router, perimeter firewall and perimeter\nnetwork IDSs and monitor their respective reports and audit logs for unauthorized access or\nactivities. This is for the entire CONUS-based CS network. The security staffs located at\nDECCs Europe and Pacific perform the same tasks locally for their respective enclave perimeter\ndevices. Suspected incidents are investigated in concert with trusted agents from the customer\nbase or data owners to determine the legitimacy of the incidents. If the suspected incident cannot\nbe validated as authorized, they are reported to the Liaison Officer (LNO) and to the GNSC. The\nGNSC then directs all actions for this incident and closes it or turns it over to the appropriate\ninvestigative agency for action. The Computing Service Cell (CSC) reports the incident to CS\nIssue Center within the CS Operations Division.\n\nEnclave Monitoring\n\n\n\n\n                                               18\n\x0cHost Based Security System (HBSS) is currently being deployed across the CS environment for\nany assets on the Out of Band (OOB) network. Some sites also use a host-based IDS. Validated\nunauthorized privileged accesses are reported up the same chain as other incidents.\n\nFSO Monitoring\n\nThe FSO conducts external vulnerability scanning once a year for the Non-Classified Internet\nProtocol Router Network (NIPRNET) and Secret Internet Protocol Router Network (SIPRNET)\nconnections at all sites. If the scan does not penetrate or identify a weakness in the enclave\nperimeter, the scan is terminated. If the scan does identify a weakness in the enclave perimeter,\nthe scan continues to further identify weaknesses. The results are entered into VMS and are\nbriefed to the site director and senior staff.\n\nSegregation of Duties\n\nSegregation of duties is handled IAW the DISA CS Security Handbook.\n\nPersonnel Controls\n\nAll personnel must meet employment requirements and are subject to a favorable personnel\nsecurity investigation. An authorization document, known as the Joint Table of Distribution\n(JTD) authorizes all Government (civilian and military) positions. This document also identifies\nthe sensitivity, IT level, and security clearance requirement for each position. These three\nelements determine the type of investigation required and the type and frequency of periodic\nreinvestigations.\n\nAll personnel are subjected to various levels of personnel security investigation, which is based\non the level of privileges they have within systems. All personnel possess Secret clearance with\nIT-2 level, except for those with privileged access (SAs, Database Administrators (DBAs),\nStorage Administrators, Network Administrators, etc.) The SAs are required to have Secret\nclearance with IT-1 level. All personnel security is managed and monitored by DISA MPS6 in\nconcert with site SMs. The CS SM submits all personnel security actions through DISA MPS6.\nThe DISA Security Office issues requests for additional information, intent to deny or revoke,\nand actual revocations of security clearances or favorable investigations.\n\nEnvironmental Controls\n\nThe Facilities Engineering Branch, a CS Headquarters organization in Denver establishes facility\nstandards for the DECCs on electrical distribution, Uninterrupted Power Supply (UPS), fire\ndetection and fire suppression, and climate control IAW national standards.\n\n   \xe2\x80\xa2   Electrical Distribution. Most sites have at least two electrical power feeds either from\n       the installation or another commercial source. There are automatic voltage controls at all\n       computing facilities and alerts of any potential electrical problems. There is a master\n       power switch located at the primary entrances in all computer facilities.\n\n   \xe2\x80\xa2   UPS. Each site has an UPS consisting of constantly charged batteries in case of power\n       disruption. The UPS is constantly monitored and alerts staff of any potential problem.\n\n\n                                                19\n\x0c       Each site is also equipped with generators that provide an automatic start-up power\n       source. Backup power sources are tested on a periodic basis to ensure that they function\n       properly and provide sufficient electrical power to meet site operating requirements.\n       Additional fuel is stored on site for sustained backup operations. The fuel is tested on an\n       annual basis for contamination.\n\n   \xe2\x80\xa2   Fire Detection. Most administrative areas are protected by fire detection systems that\n       alarm either locally or at a responding fire department. All computing facilities are\n       protected by automatic fire detection systems that alarm at the responding fire\n       department.\n\n   \xe2\x80\xa2   Fire Suppression. All administrative areas are protected by either automatic or manual\n       fire suppression systems. All computing facilities are protected by automatic fire\n       detection systems (smoke or fire detectors) that respond to heat or smoke to suppress\n       fires. Fire prevention is an inherent responsibility of every CS employee and requires\n       alertness and cooperation from all individuals and agencies that may be in the building.\n       Each site follows the facility emergency plan for the protection of all Government\n       employees and private industry tenants.\n\n   \xe2\x80\xa2   Climate Control. There are mechanical systems that provide the constant and desired\n       temperature, humidity, and air particles. The climate control system is constantly\n       monitored and alerts of any potential problem. Many of the computer facilities are\n       equipped with water detection systems and a water drainage system to handle excess\n       water under the raised floor area.\n\nPhysical Security Controls\n\n   \xe2\x80\xa2   Administrative Areas. All buildings and administrative areas have limited entry points\n       and all are protected by automated access card systems or by guards located at the\n       entrances. In some cases, both are used; guards protect the area during normal duty hours\n       from Monday through Friday, and the automated access card system controls access\n       during all off-duty hours. All personnel must wear identification badges while in the\n       area. Visitors to all sites must be signed into the administrative area and obtain local\n       badges that must be displayed while in the buildings. The issuance of an escort-required\n       or a non-escort required visitor badge depends on the validation of visitor\xe2\x80\x99s investigation\n       type and security clearance.\n\n   \xe2\x80\xa2   Computer Facility. All computer facilities have implemented the following physical\n       controls:\n\n          o controlled access and controlled perimeter for CS facilities located on a military\n            or General Services Administration (GSA) installation;\n          o verification of DoD identification such as a Common Access Cards or DISA\n            badge;\n          o enclosed perimeter by a fence that controls vehicle and pedestrian access for\n            facilities not located on a military or GSA installation;\n\n\n\n                                               20\n\x0c           o routine patrol and random door checks performed by local military, DoD, or GSA\n             guards in accordance with the local base support agreement; and\n           o access to the administrative areas controlled by guard, mechanical cipher, or\n             automated access control system.\n\n   \xe2\x80\xa2   Facility Support Areas. Access to facility support areas is controlled either by fencing,\n       automated access control systems, or key locking devices. These areas are not\n       considered \xe2\x80\x9cRestricted Areas\xe2\x80\x9d. Most of the facilities have closed circuit television\n       coverage of all doors to computer facilities, buildings, and facility support areas inside\n       and outside of the buildings. A local guard monitors the cameras at some sites. Where\n       cameras are not monitored, access is recorded and surveillance tapes are maintained for at\n       least 30 days.\n\n   \xe2\x80\xa2   Information Security Controls. Only properly cleared personnel with a need-to-know\n       are granted access to classified information. All classified paper documents are stored in\n       an approved GSA security container. Combinations to approved storage areas and\n       security containers are restricted to only those who need to gain access, and a Standard\n       Form (SF) 700 identifies who holds the combinations. The combination is treated as\n       classified information and must be located in another security container. All security\n       containers and approved storage areas must have a SF 702 on the outside and must be\n       annotated with the initials of the person opening the containers as well as the date and\n       time the container was open and closed. Security containers are to be inspected daily and\n       annotated on the SF 702 to prevent security breach.\n\n       All classified transmissions that egress the perimeter router are encrypted using National\n       Security Agency (NSA) Type I encryption devices and keying material. In some cases,\n       transmissions inside the enclave are not encrypted but are required to be in an appropriate\n       Protected Distribution System (PDS). The Federal Information Processing Standards\n       (FIPS) 140-2, \xe2\x80\x9cSecurity Requirements for Cryptographic Modules\xe2\x80\x9d, released May 25,\n       2001, requires that encryption be used to protect the transmission of unclassified\n       information, when required by the customer in the SLA. All computing areas that\n       process classified information must be in an approved classified information storage area\n       or continuously be manned by properly cleared personnel who can observe every device\n       (computing and networking) processing classified information. Unless requested by the\n       customer, all information stored on magnetic media is not encrypted. NSA devices are\n       used for classified information and FIPS 140-2 compliant devices are used for\n       unclassified information. All classified and unclassified information must be destroyed\n       using approved methods of destruction IAW DoD Regulation 5200.1-R, \xe2\x80\x9cInformation\n       Security Program\xe2\x80\x9d, January 1997.\n\nIndustrial Security Controls\n\nContracts must address security requirements. The contract should identify:\n\n   \xe2\x80\xa2   the requirement for IT level and the personnel security investigation;\n\n\n\n\n                                               21\n\x0c   \xe2\x80\xa2   the requirement for the contractor to provide visit request information for all contractor\n       personnel that need to visit a Government location;\n\n   \xe2\x80\xa2   the requirement to comply with all security policies and procedures at Government\n       locations;\n\n   \xe2\x80\xa2   the configuration requirement for contractor-provided equipment that will be connected\n       to Government networks and enclaves, if no Government-furnished equipment is\n       provided; and\n\n   \xe2\x80\xa2   the requirement for a DD Form 254, for contracts that require access to classified\n       information, that outlines the required level of security clearance, where classified\n       information can be accessed, and any special instructions.\n\nC. Information and Communication\nInformation Systems Overview\n\nThe concept of operations for CS emphasizes and describes a \xe2\x80\x9ccustomer focused\xe2\x80\x9d environment,\norganized with SMCs, Operational Support Teams (OSTs), and production operations\nenvironments designed to provide a problem resolution and a situational awareness posture over\nall domains of a dynamic production environment that is operational 24 hours a day, 7 days a\nweek, and 365 days a year. CS customer support demands include multiple classifications of\nsecure environments, multi-vendor UNIX environments, Intel-based server environments, IBM\nand Unisys mainframe environments, multiple commercial database environments, Commercial\nOff-The-Shelf (COTS) applications, Government Off-The-Shelf (GOTS) applications,\ncustomized legacy systems, web-based systems, voice-based systems including commercial\ntelephone switch support, Private Branch Exchange (PBX) support, and multiple\ncommunications infrastructures. CS must have knowledge of the products, services, and\napplications used by its customer base, as well as information regarding the internal health of the\nCS IT environment to provide professional, knowledgeable, and proactive support.\n\nCommunication\n\nCS has implemented various methods of communications to ensure that all employees\nunderstand their individual roles and responsibilities. These methods include New Employee\nOrientation, Individual Development Plan (IDP), CS Plan of the Week that summarizes various\nsignificant events, and the use of electronic mail messages to communicate time-sensitive\nmessages and information. The Director of CS holds a weekly staff meeting with all CS\nDivision Chiefs. All site Chiefs also hold periodic staff meetings as appropriate. Every\nemployee within CS has a written Position Description (PD), and every PD includes details of\nwhat responsibilities are required of the individual.\n\nThe CS Business Management Center (BMC) is responsible for headquarters level customer\nrelations and acts as the face to the customer. Each operating site within CS maintains detailed\nrecords of problems reported by customer and problems or incidents noted during processing and\nmonitor such items until they are resolved. The LNO is responsible for the up-channel reporting\n\n\n                                                22\n\x0cof operations incidents. Categories of incidents have been identified as high impact, high\nvisibility, or high interest requiring detailed reporting to a defined chain of senior management.\nSpecific information requirements have been defined for the incident reports to help ensure\ncompleteness, accuracy, and understandability. Standard trouble tickets that provide the basic\ninformation must be cleansed to ensure that these informational requirements are met and\nconsolidated into the defined incident reporting format.\n\nD. Control Objectives and Related Control Activities\nCS control objectives and related controls are included in Section III, \xe2\x80\x9cControl Objectives,\nControls Activities, and Tests of Operating Effectiveness,\xe2\x80\x9d of this report to eliminate the\nredundancy that would result from listing them in this section and repeating them in Section III.\nAlthough the control objectives and related controls are included in Section III, they are\nnevertheless, an integral part of CS control descriptions.\n\nE. User Control Considerations\nComputing Services User Controls\n\nCS and its customers share the controls over the users. This shared environment normally is\ndelineated between the computing environment and the applications.\n\nCustomer User Controls\n\nCustomers are expected to have general user controls, at a minimum, built into their applications\nand should be delineated in the application SSAA documentation.\n\nSLAs\n\nAn SLA is a contract between a service agency and a customer agency that defines the\nparameters of the services. The SLA defines the services to be delivered, problem management,\nand customer duties and responsibilities. The SLA outlines, at a minimum, the responsibilities\nover system access, security controls, data disposition and sharing, data encryption, and data\nbackup for both CS and the customers.\n\nF. Acronyms\nACL            Access Control List\nAIS            Automated Information System\nBMC            Business Management Center\nC&A            Certification and Accreditation\nCAC            Common Access Card\nCCC            Central Communication Center\nCIO            Chief Information Officer\nCMD            Customer Management Division\nCONUS          Continental United States\nCOTS           Commercial Off-The-Shelf\n\n\n                                                23\n\x0cCS        Computing Services\nCSC       Computing Service Cell\nCTO       Compliance Task Order\nDAA       Designated Approving Authority\nDBA       Database Administrator\nDECC      Defense Enterprise Computing Center\nDIACAP    DoD Information Assurance Certification and Accreditation Process\nDII       Defense Information Infrastructure\nDISA      Defense Information Systems Agency\nDISN      Defense Information Systems Network\nDoD       Department of Defense\nFEMA      Federal Emergency Management Agency\nFIPS      Federal Information Processing Standards\nFSO       Field Security Office\nGIG       Global Information Grid\nGNOC      Global Network Operations Center\nGNSC      Global Network Security Center\nGOTS      Government Off-The-Shelf\nGSA       General Services Administration\nHBSS      Host Based Security System\nIA        Information Assurance\nIAM       Information Assurance Manager\nIAO       Information Assurance Officer\nIAR       Information Assurance Review\nIAVM      Information Assurance Vulnerability Management\nIAW       In Accordance With\nIDP       Individual Development Plan\nIDS       Intrusion Detection System\nIMD       Infrastructure Management Division\nIRM       Information Resource Management\nISC       Infrastructure Service Center\nIT        Information Technology\nJIDS      Joint Intrusion Detection System\nJTD       Joint Table of Distribution\nJTF-GNO   Joint Task Force-Global Network Operations\nLNO       Liaison Officer\nLOI       Letter of Instruction\nMAC       Mission Assurance Category\nMPS       Manpower, Personnel and Security\nNIPRNET   Non-Classified Internet Protocol Router Network\nNSA       National Security Agency\nOMB       Office of Management and Budget\nOOB       Out of Band\nOST       Operational Support Team\nPBX       Private Branch Exchange\nPD        Position Description\n\n\n\n                                        24\n\x0cPDS       Protected Distribution System\nPE        Processing Element\nPOA&M     Plan of Action and Milestone\nRMD       Resource Management Division\nSA        System Administrator\nSF        Standard Form\nSIPRNET   Secret Internet Protocol Router Network\nSLA       Service Level Agreement\nSM        Security Manager\nSMC       System Management Center\nSRR       Security Readiness Review\nSSAA      System Security Authorization Agreement\nSTIG      Security Technical Implementation Guideline\nUPS       Uninterrupted Power Supply\nVMS       Vulnerability Management System\n\n\n\n\n                                        25\n\x0c26\n\x0cSection III: Control Objectives, Control Techniques, and\n             Tests of Operating Effectiveness\n\n\n\n\n                           27\n\x0c28\n\x0cSecurity Program\n\nNo.   Control Objectives         Control Techniques                      Test of Operating Effectiveness          Results of Testing\n\n 1    Controls provide reasonable assurance that the security program effectiveness is monitored and changes are made as needed.\n\n1.1   Management periodically    SP5.1 Annual reviews are conducted to   We requested documentation of the        CSD IAM did not conduct annual\n      assesses the               accommodate new security policy         annual review that accommodates new      reviews to accommodate new security\n      appropriateness of         requirements, technology changes,       security policy requirements,            policy requirements and technology\n      security policies and      etc. checked by the Information         technology changes, and related          changes.\n      procedures.                Assurance Review (IAR) process.         changes. We reviewed the CSD IAM\n                                                                         description of the annual review\n                                                                         process.\n\n                                 SP5.1 CS Operations Division conducts   We requested documentation of the CS     CS Operations Division did not\n                                 annual reviews to assess the            Operations Division annual review that   conduct annual reviews to assess the\n                                 appropriateness of the CS security      assesses the appropriateness of the CS   appropriateness of the CS security\n                                 policies.                               security policies. We reviewed the CS    policies.\n                                                                         Operations Division description of the\n                                                                         annual review process.\n\n                                 SP5.1 The FSO conducts annual           We reviewed the Technical Interchange    No relevant exceptions noted.\n                                 Technical Interchange Meetings to       Meetings (TIMs) minutes the FSO\n                                 assess the appropriateness of the       prepared to determine whether the FSO\n                                 security policies.                      assessed the appropriateness of the\n                                                                         security policies.\n1.2   Management monitors        SP5.2 FSO performs SRRs as part of      We inspected SRRs that we obtained       No relevant exceptions noted.\n      compliance with policies   the IA review and certification and     from the FSO to determine whether the\n      and procedures.            accreditation process.                  FSO performed the SRRs.\n\n                                 SP5.2 CSD IAM provides weekly           We inspected a sample of 14 weekly       No relevant exceptions noted.\n                                 report on IAVMs to CSD Senior           Information Assurance Vulnerability\n                                 Management.                             Management (IAVM) briefings to\n                                                                         determine whether the CSD IAM\n                                                                         provided weekly reports to CSD Senior\n                                                                         Management.\n\n\n\n\n                                                                         29\n\x0c1.3   Corrective actions are     SP5.2 Corrective actions to findings are   We interviewed the SMCs, ISCs, and          No relevant exceptions noted.\n      effectively implemented.   submitted and updated by the SA and        DECC Pacific IAM to determine\n                                 monitored by the IAM at the local level    whether sites submitted, updated, and\n                                 via Vulnerability Management System        monitored corrective actions through\n                                 (VMS).                                     VMS.\n                                 SP5.2 Corrective actions to findings are   We obtained from the DAA and                No relevant exceptions noted.\n                                 monitored by the DAA and Certifying        Certifying Authority a description of the\n                                 Authority at the headquarters level via    reports and process that the DAA and\n                                 the Vulnerability Management System        Certifying Authority used to monitor\n                                 (VMS).                                     findings and corrective actions through\n                                                                            VMS.\n\n\nRisk Assessment\n\nNo.   Control Objectives         Control Techniques                         Test of Operating Effectiveness             Results of Testing\n\n 2    Controls provide reasonable assurance that risks are periodically assessed and appropriate steps are taken to mitigate risks.\n\n2.1   Risk assessments are       SP5.2 Risk assessments are performed       We obtained and reviewed the risk           Of the SMCs, ISCs and DECC Pacific,\n      performed according to     annually IAW DODI 5200.40 or               assessments for the SMCs, ISCs, and         one ISC did not have a signed risk\n      current Federal and DOD    Interim DIACAP.                            DECC Pacific. We determined whether         assessment.\n      requirements.                                                         the risk assessments were completed in\n                                                                            accordance with DOD\n                                                                            Instruction 5200.4 or Interim DIACAP.\n                                 SP5.2 Risk mitigation is documented in     We obtained and reviewed the most           The risk assessment did not adequately\n                                 the risk assessment.                       current risk assessments that the CSD       address risk mitigation for the three\n                                                                            IAM prepared for the SMCs, ISCs, and        SMCs, two ISCs, and DECC Pacific.\n                                                                            DECC Pacific. We verified whether\n                                                                            the activities adequately addressed risk\n                                                                            mitigation in their risk assessments.\n                                 SP5.2 Enterprise risk assessments are      We requested the enterprise risk            CS did not prepare an enterprise risk\n                                 prepared based on the site risk            assessment.                                 assessment.\n                                 assessment results.\n\n\n\n\n                                                                            30\n\x0cSecurity Plans\n\nNo.   Control Objectives        Control Techniques                         Test of Operating Effectiveness            Results of Testing\n      Controls provide reasonable assurance that site security plans are in place, prepared, documented, and approved in\n 3\n      accordance with Federal and DoD requirements, and is current.\n3.1   Site security plans are   SP2.1 Updates (as required) are located    We obtained the most recent site           No relevant exceptions noted.\n      documented.               at the sites.                              security plans from the SMCs, ISCs,\n                                                                           and DECC Pacific.\n                                SP2.1 The security plan is documented      We obtained the most recent security       One SMC did not adequately address\n                                and addresses topics prescribed in OMB     plans from the SMCs, ISCs, and DECC        the topics prescribed in\n                                Circular A-130 and is on file at the       Pacific. We reviewed the site security     OMB Circular A-130.\n                                DAA.                                       plans to determine whether topics\n                                                                           prescribed in OMB Circular A-130\n                                                                           were adequately addressed.\n\n                                                                           We obtained the most recent SSAA           The DAA did not have one SMC\n                                                                           packets from the DAA to determine          security plan on file.\n                                                                           whether these were the same security\n                                                                           plans we obtained from the SMCs,\n                                                                           ISCs, and DECC Pacific.\n\n\n3.2   Site security plans are   SP2.1 The security plan for all sites is   We obtained the most recent site           No relevant exceptions noted.\n      approved.                 signed by the senior official on site.     security plans from the SMCs, ISCs,\n                                                                           and DECC Pacific to determine\n                                                                           whether the senior site official\n                                                                           approved the security plan.\n\n3.3   Site security plans are   SP2.2 The security plan is reviewed        We interviewed the CSD IAM to              No relevant exceptions noted.\n      current.                  annually and is updated as required.       understand the security plan review\n                                                                           process. We tested whether a security\n                                                                           plan for each site was included with the\n                                                                           SSAA and included on file at the DAA.\n\n\n\n\n                                                                           31\n\x0c                                                                          We obtained and reviewed the most\n                                                                          recent security plan maintained at\n                                                                          SMCs, ISCs, and DECC Pacific.\n\n                                                                          We determined whether the security\n                                                                          plans we obtained from the DAA were\n                                                                          the same security plans maintained at\n                                                                          SMCs, ISCs, and DECC Pacific.\n\nSecurity Management\n\nNo.   Control Objectives       Control Techniques                         Test of Operating Effectiveness              Results of Testing\n      Controls provide reasonable assurance that a security management structure is established and security responsibilities are\n      clearly assigned.\n\n      Design Weakness:\n\n      (a) DISA Computing Services did not have control procedures in place to ensure that security responsibilities are clearly assigned at\n      all levels. Specifically, control procedures are needed to ensure the DISA Computing Services Enterprise Security Roles and\n 4\n      Responsibilities Concept of Operations defines the responsibilities of security officials at all levels in CSD.\n\n      (b) DISA did not have control procedures in place to ensure security awareness training completion is recorded and maintained in the\n      Defense On-Line Training System (DOTS). Specifically, security awareness training encompasses two types of training-Traditional\n      and Information Assurance Awareness, however, records for all types of training are not recorded in DOTS.\n\n\n4.1   A security management    SP3.1 The CSD Security Management          We inspected the DISA Computing              Refer above to item (a) of the design\n      structure has been       CONOPS defines the responsibilities of     Services Enterprise Security Roles and       weakness.\n      established.             security officials at all levels in CSD.   Responsibilities Concept of Operations\n                                                                          to determine whether it defined the          DISA CS Enterprise Security Roles\n                                                                          responsibilities of security officials for   and Responsibilities Concept of\n                                                                          all levels in CSD.                           Operations did not define the SMC,\n                                                                                                                       ISC, and DECC Pacific IAO\n                                                                                                                       responsibilities.\n\n\n\n\n                                                                          32\n\x0c4.2   Information security           SP3.2 The roles and responsibilities are   We reviewed the universe of 153 IAM,         Refer above to item (a) of the design\n      responsibilities are clearly   outlined in the CSD Security               IAO, and SM appointment orders               weakness.\n      assigned.                      management CONOPS. The IAM,                obtained from the SMCs, ISCs, and\n                                     IAO, and SM are assigned in their          DECC Pacific to determine whether the        Of 13 SM appointment orders, 9 were\n                                     appointment orders.                        roles and responsibilities outlined in the   not complete at three SMCs, two ISCs,\n                                                                                DISA Computing Services Enterprise           and DECC Pacific.\n                                                                                Security Roles and Responsibilities\n                                                                                Concept of Operations were assigned in       Of 13 IAM appointment orders,\n                                                                                the appointment orders.                      12 were not complete at three SMCs,\n                                                                                                                             three ISCs, and DECC Pacific\n\n                                                                                                                             Of 127 IAO appointment orders,\n                                                                                                                             127 did not have defined roles and\n                                                                                                                             responsibilities at four SMCs, three\n                                                                                                                             ISCs, and DECC Pacific.\n4.3   CS personnel are aware of      SP3.3 Refresher security awareness         We inspected a sample of 385 DISA            Refer above to item (b) of the design\n      security policies.             training completion is recorded and        personnel refresher information-             weakness.\n                                     maintained in DOTS.                        assurance awareness training records\n                                                                                from SMCs, ISCs, DECC Pacific,               Of 385 DISA personnel, 182 did not\n                                                                                MPS, and CIO to determine whether            have information-assurance awareness\n                                                                                DISA recorded and maintained training        training records in DOTS at three\n                                                                                records in DOTS.                             SMCs, two ISCs, MPS, and CIO.\n\n                                                                                                                             Two SMCs and one ISC did not record\n                                                                                                                             and maintain information-assurance\n                                                                                                                             awareness training completion in\n                                                                                                                             DOTS.\n                                     SP3.3 CS personnel are required to take    We inspected a sample of 344 CS              Of 344 CS personnel DD Forms 2875,\n                                     initial security awareness training        personnel DD Forms 2875 at the               5 did not have the information\n                                     before gaining access to any system.       SMCs, ISCs, and DECC Pacific to              assurance section completed at three\n                                                                                determine whether personnel took             SMCs and one ISC.\n                                                                                initial information assurance awareness\n                                                                                training before gaining access to any\n                                                                                system.\n\n\n\n\n                                                                                33\n\x0c                                    SP3.3 CS personnel are required to take    We inspected a sample of 344 CS           Of 344 CS personnel information-\n                                    annual refresher security awareness        personnel information-assurance           assurance training records, one SMC\n                                    training.                                  training records at the SMCs, ISCs, and   and one ISC did not maintain\n                                                                               DECC Pacific to determine whether         6 training records.\n                                                                               personnel completed annual security\n                                                                               awareness training.\n\n\nPersonnel\n\nNo.   Control Objectives            Control Techniques                         Test of Operating Effectiveness           Results of Testing\n\n 5    Controls provide reasonable assurance that effective personnel policies have been implemented.\n\n5.1   Employee (Government          SP4.1 Security requirements for            We inspected a sample of 39 contracts     No relevant exceptions noted.\n      and contractor)               contractor employees are included in       the Defense Information Technology\n      background                    the contract requirements. Personnel       Contracting Organization had issued to\n      investigations, hiring,       security compliance is monitored by CS     determine whether security\n      transferring, and             Security Managers.                         requirements were included.\n      termination policies\n      address security and are in                                              We verified with CS Security Managers     Of a sample of 255 contract\n      compliance with DODI                                                     that documentation for a sample of        employees, 2 employees did not have\n      8500.2.                                                                  255 contractor employees have current     current security clearances.\n                                                                               and valid security clearances.\n                                    SP4.1 Personnel security checks are        We inspected a sample of 291 security     Of 291 security background\n                                    conducted to determine that there exists   background investigations for             investigations for Government\n                                    a valid and current personnel security     Government employees at SMCs, ISCs,       employees, 2 were not current.\n                                    investigation for each Government          and DECC Pacific to determine\n                                    employee at the site based on the          whether the investigations were valid\n                                    individual\xe2\x80\x99s duties and tasks.             and current.\n                                    SP4.1 Termination of contractor            We inspected documentation for a          No relevant exceptions noted.\n                                    employees requires revoking of all         sample of 120 terminated contractor\n                                    access to DISA applications and            employees at the SMCs, ISCs, and\n                                    systems.                                   DECC Pacific to determine whether\n                                                                               each employee\xe2\x80\x99s system access was\n                                                                               revoked.\n\n\n\n\n                                                                               34\n\x0cSP4.1 Government employees                 We inspected the universe of seven         No relevant exceptions noted.\ntransferring to organizations within       Government employees who had\nDISA but outside CS requires revoking      transferred to organizations within\nof all access to CS applications and       DISA but outside CS to determine\nsystems.                                   whether access to the CS system was\n                                           revoked.\nSP4.1 Personnel security checks are        We interviewed MPS to understand           Of 291 Government employees, 2 did\nconducted to determine that a valid and    how MPS conducts personnel security        not have a current personnel security\ncurrent personnel security investigation   investigations for each potential          investigation.\nhas been conducted for each potential      employee based on the individual\xe2\x80\x99s\nemployee based on the individual\xe2\x80\x99s         duties and tasks. We inspected a\nduties and tasks.                          sample of 291 Government-employee\n                                           personnel security investigations to\n                                           determine whether they were current\n                                           and valid and were based on the\n                                           individual\xe2\x80\x99s duties and tasks.\nSP4.1 Termination of Government            We inspected DISA Form 553 for a           Of 33 Government employees, 3 did\nemployees requires debriefing and          sample of 33 Government employees at       not have a DISA Form 553 maintained.\nrevoking of all access to DISA             the SMCs, ISCs, and DECC Pacific to\napplications and systems. Termination      determine whether a signed debriefing      Of 33 Government employees, 1 did\ndebriefing (DISA Form 553) must be         (DISA Form 553) was on file.               not have a completed DISA Form 553.\nsigned and maintained by the site\nSecurity Manager.                          We inspected documentation for a           Of 33 Government employees, 1 did\n                                           sample of 33 Government employees at       not have an out-processing checklist\n                                           the SMCs, ISCs, and DECC Pacific to        maintained.\n                                           determine whether termination included\n                                           debriefing and revoking of all access to   Of 33 Government employees, 1 did\n                                           DISA applications and systems.             not have a completed out-processing\n                                                                                      checklist.\n\n                                                                                      Of 33 Government employees, 1 did\n                                                                                      not have a Non-Disclosure statement\n                                                                                      (debriefing section) maintained.\n\n                                                                                      Of 33 Government employees, 1 did\n                                                                                      not have a completed Non-Disclosure\n                                                                                      statement (debriefing section).\n\n\n\n\n                                           35\n\x0c                                  SP4.1 Government employees                 We inspected a sample of                  Of 33 Government employees, 1 did\n                                  transferring to organizations outside      33 Government employees at                not have an out-processing checklist\n                                  DISA requires revoking of all access to    SMCs, ISCs, and DECC Pacific to           maintained.\n                                  DISA applications and systems.             determine whether termination of\n                                                                             Government employees included a           Of 33 Government employees, 1 did\n                                                                             debrief and revoking all access to DISA   not have a completed out-processing\n                                                                             applications and systems.                 checklist.\n\n\n                                  SP4.1 The CS Security Handbook             We inspected the CS Security              No relevant exceptions noted.\n                                  prescribes guidelines addressing           Handbook to determine whether it\n                                  position sensitivity designations for      addressed position sensitivity for\n                                  military and civilian employees.           military and civilian employees.\n\n5.2   Job descriptions for        SD1.2 All civilian positions have          We inspected a sample of 287              No relevant exceptions noted.\n      employees (Government       position descriptions.                     personnel files for civilian positions\n      and contractor) have been                                              from SMCs, ISCs, and DECC Pacific to\n      documented and                                                         determine whether the position\n      employees understand                                                   descriptions existed.\n      their duties and\n                                  SD1.2 All contractor job requirements      We inspected a sample of 39 contracts     No relevant exceptions noted.\n      responsibilities.\n                                  are documented within the applicable       the Defense Information Technology\n                                  contract.                                  Contracting Organization issued to\n                                                                             determine whether the documented\n                                                                             contractor job requirements were\n                                                                             included in the contracts.\n                                  SD1.3 Supervisors at all levels develop    We inspected a sample of                  No relevant exceptions noted.\n                                  and maintain a performance plan (Form      287 employee performance plans at\n                                  208) for each individual and ensure that   the SMCs, ISCs, and DECC Pacific to\n                                  the plan requires the performance based    determine whether the plans reflected\n                                  on the position description.               the relevant position description.\n\n\n\n\n                                                                             36\n\x0c                                     SD1.3 Supervisors have access to            We interviewed supervisors for a        No relevant exceptions noted.\n                                     position descriptions, which identify the   sample of 226 employees at the SMCs,\n                                     task and functions required by the          ISCs, and DECC Pacific to determine\n                                     position.                                   whether they were aware of the tasks\n                                                                                 and functions required of the\n                                                                                 employees. We compared their\n                                                                                 answers to the relevant position\n                                                                                 descriptions for appropriateness.\n                                     SD2.1 CS management complies with           We identified personnel requirements    Of 287 employees, 4 did not have\n                                     DISAI 220-15-55 to ensure compliance        in DISAI 220-15-55 and inspected a      mid-year reviews on their DISA Form\n                                     with job descriptions and duties.           sample of 287 employees performance     208 Performance Plan.\n                                                                                 plans to determine whether the sites\n                                                                                 complied with DISAI 220-15-55.\n                                     SD3.1 Local written instructions may        We interviewed supervisors on work      No relevant exceptions noted.\n                                     be followed for the performance of          performance for a sample of\n                                     work.                                       226 Government employees at the\n                                                                                 SMCs, ISCs, and DECC Pacific to\n                                                                                 determine whether work performance\n                                                                                 complied with DISAI 220-15-55.\n5.3   Employees (Government          SP4.2 SA certification requirements are     We inspected SA certification           Of 285 SAs, 1 did not have the SA\n      and contractor) are            tracked by MPS.                             documentation the sites tracked for a   certification signed.\n      adequately trained and                                                     sample of 285 SAs at SMCs, ISCs, and\n      possess the required skills.                                               DECC Pacific to determine the           Of 285 SA certifications, 1 was out of\n                                                                                 appropriateness and completeness of     the 18-month recertification scope.\n                                                                                 site data.\n                                                                                                                         Of 285 SAs, 4 did not complete the\n                                                                                                                         final SA certification test.\n                                     SP4.2 Training requirements for IAM         We interviewed MPS staff to determine   No relevant exceptions noted.\n                                     and users are established by DoD and        whether DoD and DISA established\n                                     DISA policies.                              training requirements for IAM and\n                                                                                 users in their policies.\n                                     SP4.2 Completion of annual                  We interviewed MPS staff and CSD        No relevant exceptions noted.\n                                     Information Awareness Training is           IAM to determine the process for\n                                     tracked by MPS and CSD IAM.                 tracking annual Information Awareness\n                                                                                 Training.\n\n\n\n\n                                                                                 37\n\x0c                                 SP4.2 SA certification requirements are      We interviewed CIO staff for DoD and    No relevant exceptions noted.\n                                 established by DISA policies and             DISA policies used to establish SA\n                                 maintained by the CIO.                       certification requirements.\n\n5.4   Confidentiality or Non-    SP4.1 A Non-Disclosure statement (SF         We inspected a sample of                Of 247 Government employees, 2 did\n      Disclosures agreements     312) is required for all Government          247 Non-Disclosure statements           not sign the Non-Disclosure statement.\n      are documented.            employees.                                   for Government employees at the\n                                                                              SMCs, ISCs, and DECC Pacific to         Of 247 Government employees, 3 did\n                                                                              determine whether employees signed      not have a Non-Disclosure statement\n                                                                              the statements.                         on file.\n                                 SP4.1 A Non-Disclosure statement (SF         We inspected a sample of                Of 255 contractor employees, 1 had an\n                                 312) is required for all contractors.        255 Non-Disclosure statements           incomplete Non-Disclosure statement\n                                                                              for contractor employees at the         at one SMC.\n                                                                              SMCs, ISCs, and DECC Pacific to\n                                                                              determine whether employees signed\n                                                                              the statements.\n5.5   Incompatible duties have   SD1.1 Service Level Agreements also          We obtained and reviewed the CSD        No relevant exceptions noted.\n      been identified and        describe the roles and responsibilities of   Basic Service Level Agreement to\n      policies implemented to    CS in maintaining the customer               determine whether CS roles and\n      segregate these duties.    platforms.                                   responsibilities for maintaining\n                                                                              customer platforms were included.\n                                 SD1.1 CS Security Handbook describes         We inspected the CSD Operations         No relevant exceptions noted.\n                                 the segregation of duties of CS security     Policy Letter CSD 06-15, \xe2\x80\x9cSegregation\n                                 personnel. CSD OPS Policy 06-15              of Duties,\xe2\x80\x9d and the CS Security\n                                 describes the segregation of duties of       Handbook for segregation of\n                                 CS personnel not outlined in the CS          incompatible duties.\n                                 Security Handbook.\n\n\n\n\n                                                                              38\n\x0cResource Classification\n\nNo.   Control Objectives             Control Techniques                           Test of Operating Effectiveness            Results of Testing\n      Controls provide reasonable assurance that information resources are classified according to their Mission Assurance\n 6\n      Category (MAC) and Confidentiality Level (CL).\n6.1   Customers have                 AC1.2 CS customers communicate               We analyzed FY 2007 and FY 2008            No relevant exceptions noted.\n      communicated the               Mission Assurance Criticality (MAC)          SLAs to determine whether they :\n      classification of their        levels to CS for their applications          \xe2\x80\xa2 were approved and signed by both\n      applications to CS.            during the initial business proposal and     CSD and Customer Representative,\n                                     captured in the Service Requirements         \xe2\x80\xa2 identified the MAC and sensitivity\n                                     Form (SRF).                                  level, and\n                                                                                  \xe2\x80\xa2 identified how disposition of data\n                                                                                  should be handled.\n\n6.2   Customer resource              AC1.2 In accordance with DODI                We analyzed FY 2007 and FY 2008            No relevant exceptions noted.\n      classifications and related    8500.2 and DODD 8500.1 system                SLAs to determine whether they\n      criteria have been             owner/customer establishes MAC               identified the MAC and sensitivity\n      formally established.          level in the SLA based upon their            level.\n                                     assessment of the critical nature of their\n                                     application or system.\n6.3   All DISA owned assets          AC1.1 CS has defined the information         We inspected the site\xe2\x80\x99s current SSAA.      No relevant exceptions noted.\n      are classified according to    resources criticality IAW the DODI           We ran an AS01 Report from the\n      criticality and sensitivity.   8500.2 and documented in the site            Vulnerability Management System at\n                                     SSAA or VMS.                                 the SMCs, ISCs, and DECC Pacific,\n                                                                                  and we selected a sample of 40 assets\n                                                                                  that were both located at and owned by\n                                                                                  the site. We interviewed the IAM to\n                                                                                  determine how the IAM was notified of\n                                                                                  any new assets or changes in criticality\n                                                                                  of assets and how the IAM annotated\n                                                                                  the criticality.\n\n\n\n\n                                                                                  39\n\x0c                                   AC1.2 IAM has reviewed and noted the       We inspected the site\xe2\x80\x99s current SSAA.      Of 40 assets, 1 did not have the correct\n                                   criticality of the DISA owned resources.   We ran an AS01 Report from the             Confidentiality Level at one ISC.\n                                                                              Vulnerability Management System at\n                                                                              the SMCs, ISCs, and DECC Pacific,\n                                                                              and we selected a sample of 40 assets\n                                                                              that were both located at and owned by\n                                                                              the site. We interviewed the IAM to\n                                                                              determine how the IAM was notified of\n                                                                              any new assets or changes in criticality\n                                                                              of assets and how the IAM annotated\n                                                                              the criticality.\n6.4   Service Level Agreement      AC2.3 SLAs are current and are             We interviewed the site IAM, technical     No relevant exceptions noted.\n      (SLA) management and         available in the Knowledge                 support personnel, or appropriate\n      the disposition of data      Management System database.                personnel on whether, and how, they\n      requirements are                                                        received notification of new SLA\n      identified.                                                             requirements and whether they used the\n                                                                              Knowledge Management System to\n                                                                              receive new SLA requirements\n                                   AC3.7 All requirements (if applicable)     We interviewed CCC personnel to            No relevant exceptions noted.\n                                   for communications secured by Type I       determine whether CS used encryption\n                                   or Type III crypto devices are             tools. We requested from CCC a list of\n                                   documented in the applicable SLA.          programs that require crypto or\n                                                                              encryption (unclassified). We selected\n                                                                              a sample of 10 programs and reviewed\n                                                                              the applicable SLAs to determine\n                                                                              whether the requirements were\n                                                                              identified.\n6.5   Logical controls over data   AC3.7 If required by the customer in       We interviewed CCC personnel to            No relevant exceptions noted.\n      files and software           the SLA and outlined in the Terms and      determine whether CS used encryption\n      programs.                    Condition (T&C) document, encryption       tools. We requested from CCC a list of\n                                   tools such as Virtual Private Network,     programs that require crypto or\n                                   Secure Socket Layer, Secure Shell, and     encryption (unclassified). We selected\n                                   Public Key Infrastructure are used IAW     a sample of 10 programs and reviewed\n                                   the current DOD STIGs where the data       the applicable SLAs to determine\n                                   or the transmission of data needs to be    whether the requirements were\n                                   protected.                                 identified.\n\n\n\n\n                                                                              40\n\x0c6.6   Correct use of encryption   AC3.7 If required by the customer, all    We interviewed CCC personnel on the       No relevant exceptions noted.\n      devices.                    requirements for encryption are           use of encryption tools. We requested\n                                  documented in the applicable SLA.         from CCC a list of programs that\n                                                                            require crypto or encryption\n                                                                            (unclassified). We selected a sample of\n                                                                            10 programs and reviewed the\n                                                                            applicable SLAs to determine whether\n                                                                            the requirements were identified.\n                                  AC3.7 If required by the customer in      We interviewed CCC personnel on the       No relevant exceptions noted.\n                                  the SLA, and included in the T&C          use of encryption tools. We requested\n                                  document, the DOD encryption policy       from CCC a list of programs that\n                                  is applied in accordance with FIPS 140-   require crypto or encryption\n                                  2.                                        (unclassified). We selected a sample of\n                                                                            10 programs and reviewed the\n                                                                            applicable SLAs to determine whether\n                                                                            the requirements were identified.\n\n\n\n\n                                                                            41\n\x0cAccount Management\n\nNo.   Control Objectives           Control Techniques                         Test of Operating Effectiveness          Results of Testing\n\n 7    Controls provide reasonable assurance that user account management procedures are implemented and effective.\n\n7.1   DISA managed assets          AC2.1 Each privileged user                 We inspected system-generated            Of 10 mainframes tested, 6 had users\n      have identified authorized   identification issued is evidenced by a    documentation for a sample of            who were granted access to operating\n      users and their authorized   DD Form 2875 (or its predecessor           10 mainframes for:                       data sets and/or system resources and\n      access rights.               DISA Form 41) or an equivalent local            \xe2\x80\xa2 System Programmers                were not identified as privileged users.\n                                   form that has incorporated all the              \xe2\x80\xa2 Security Administrators\n                                   requirements of the DD Form                     \xe2\x80\xa2 Auditors\n                                   2875. DD Form 2875, System Access               \xe2\x80\xa2 Production Control/Scheduling\n                                   Authorization Request, requires                 \xe2\x80\xa2 Personnel\n                                   approval from the user\xe2\x80\x99s supervisor, and        \xe2\x80\xa2 Operations Personnel\n                                   validation of user personnel security           \xe2\x80\xa2 DASD Management Personnel\n                                   investigation based on access requested.        \xe2\x80\xa2 Storage Management Personnel\n                                                                              to determine whether privileged users\n                                                                              were identified.\n\n                                                                              Based on the list of privileged users    Of 288 privileged-user DD Forms\n                                                                              maintained by the IAM/IAO, we            2875 tested, 74 were not properly\n                                                                              selected a sample of 288 privileged      completed at four SMCs and three\n                                                                              users and obtained their DD Forms        ISCs.\n                                                                              2875s to verify that the DD Forms 2875\n                                                                              were properly completed.                 Of the 288 privileged-user DD Forms\n                                                                                                                       2875, 1 was not on file at one SMC.\n                                   AC2.1 IAW DODI 8500.2 and                  We used the assets tested in Control     One ISC tested did not sufficiently\n                                   appropriate DOD STIGs, the site            Objective 6.3 to generate a list of      track privileged users of\n                                   IAM/IAO maintains a list of all            privileged users of those assets to      Windows/Unix systems.\n                                   approved privileged users (privilege       determine whether all privileged users\n                                   user accounts created by CS SAs) for       listed were located on the list of\n                                   operating systems, networks, databases,    privileged users maintained by the\n                                   and web administrators.                    IAM/IAO.\n\n\n\n\n                                                                              42\n\x0c                                AC2.1 The DODI 8500.2, as                  We reviewed and compared local            No relevant exceptions noted.\n                                supplemented by CS Policy 06-05 and        policies regarding account management\n                                CSD Policy 06-12, details the process      to DoD and CSD account management\n                                for granting access to system resources.   policies.\n\n7.2   IAM/IAO and/or SA         AC2.1 Periodic revalidation of DISA        We interviewed the IAM, IAO, and SM       Of 243 tested personnel, 4 were\n      periodically review       managed systems, IAW applicable            at the SMCs, ISCs, and DECC Pacific       authorized users but were identified as\n      authorization lists to    DOD STIGs and CS Policy 06-05, is          to understand the revalidation process    privileged users at one SMC.\n      determine                 conducted annually by the local            for privileged accounts or privileged\n      appropriateness.          IAM/IAO and/or SA to identify              user accesses.                            Of 243 privileged users, 4 were not\n                                privileged accounts and privileged user                                              revalidated annually at one SMC.\n                                accesses that are no longer needed.        We inspected a sample of\n                                (Customer rental space excluded)           243 privileged users DD Forms 2875        Of 243 privileged-user\n                                                                           at three SMCs, three ISCs, and            DD Forms 2875, 11 were not updated\n                                                                           DECC Pacific to determine the             to indicate revalidation at one ISC.\n                                                                           frequency of revalidation and whether\n                                                                           the revalidation process is in            Of 45 asset sheets, 2 did not have a\n                                                                           accordance with applicable DoD STIGs      completed privileged account\n                                                                           and CS Policy 06-05.                      revalidation at one SMC.\n\n                                                                           We inspected revalidation evidence in a\n                                                                           sample of 45 privileged accounts\' at\n                                                                           one SMC to determine the frequency of\n                                                                           revalidation and whether the\n                                                                           revalidation process is in accordance\n                                                                           with applicable DoD STIGs and\n                                                                           CS Policy 06-05.\n7.3   Emergency and temporary   AC2.2 Emergency and temporary              We inspected system-generated             Of 10 mainframes, 1 had a test ID in\n      access is controlled.     access authorizations are:                 documentation for a sample of             an active and not suspended state.\n                                \xe2\x80\xa2 documented and maintained on file,       10 mainframes to determine whether\n                                \xe2\x80\xa2 approved by appropriate management,      management controlled emergency and\n                                \xe2\x80\xa2 communicated to the IAM, and             temporary access authorizations..\n                                \xe2\x80\xa2 terminated after a predetermined\n                                period on a case by case basis.            We interviewed CS personnel at the        No relevant exceptions noted.\n                                                                           SMCs, ISCs, and DECC Pacific to\n                                                                           determine whether emergency changes\n\n\n\n\n                                                                           43\n\x0c                                                                            were made. For the one SMC that had\n                                                                            emergency changes, we inspected a\n                                                                            sample of two emergency and\n                                                                            temporary user access requests to\n                                                                            determine whether authorizations were:\n                                                                            \xe2\x80\xa2 documented and maintained on file,\n                                                                            \xe2\x80\xa2 approved by appropriate management,\n                                                                            \xe2\x80\xa2 securely communicated to the IAM,\n                                                                            and\n                                                                            \xe2\x80\xa2 terminated after a predetermined\n                                                                            period on a case-by-case basis.\n\nPhysical Security\n\nNo.   Control Objectives        Control Techniques                          Test of Operating Effectiveness           Results of Testing\n\n 8    Controls provide reasonable assurance that adequate physical controls have been implemented.\n\n8.1   Perimeter (Base Level).   AC3.1 Physical safeguard procedures         We observed the physical inner and         No relevant exceptions noted.\n                                include:                                    outer perimeters of the CS facility at\n                                \xe2\x80\xa2 controlled access and controlled          the SMCs, ISCs, and DECC Pacific to\n                                perimeters for CS facilities located on     determine whether:\n                                military or GSA installations;              \xe2\x80\xa2 individuals attempting to access the\n                                \xe2\x80\xa2 verification of DoD identification,       CS facility were required to present\n                                such as a Common Access Card or             valid DoD identification;\n                                DISA badge;                                 \xe2\x80\xa2 perimeter security was in place to\n                                \xe2\x80\xa2 enclosed perimeter, by a fence that       control vehicle and pedestrian access;\n                                controls vehicle and pedestrian access,     \xe2\x80\xa2 access to administrative areas was\n                                for CS facilities not located on military   controlled by a guard, mechanical\n                                or GSA installation;                        cipher lock, or automated access\n                                \xe2\x80\xa2 IAW local Base Support Agreement,         control system; and\n                                if required, routine patrol and random      \xe2\x80\xa2 routine patrol and random door checks\n                                door checks are performed by the local      were performed by the military base,\n                                military, DoD, or GSA guards; and           DoD, or GSA guards in accordance\n                                \xe2\x80\xa2 access to the administrative areas is     with applicable base support\n                                controlled by guard, mechanical cipher,     agreements.\n\n\n\n\n                                                                            44\n\x0c                                  or automated access\n                                  control system.\n\n\n\n8.2   Building, administration,   AC3.1 Computer Rooms not located at         We interviewed local security              No relevant exceptions noted.\n      and computer facility.      a DISA facility will follow the             personnel to determine whether the\n                                  requirements of the hosting site.           three DISA DECCs not located at\n                                                                              DISA facilities followed the host sites\xe2\x80\x99\n                                                                              requirements.\n                                  AC3.1 The area of the computer facility     We observed the computer facility          No relevant exceptions noted.\n                                  that contains unclassified                  areas that contained unclassified\n                                  equipment/information is in compliance      equipment to determine whether the\n                                  with the requirements outlined in DOD       areas complied with the requirements\n                                  5200.8 R, specifically:                     outlined in DoD 5200.8R, specifically\n                                  \xe2\x80\xa2 Electronic Security System                by having:\n                                  \xe2\x80\xa2 Entry and Circulation Control             \xe2\x80\xa2 an electronic security system,\n                                  \xe2\x80\xa2 Barriers                                  \xe2\x80\xa2 entry and circulation control,\n                                  \xe2\x80\xa2 Security Patrols/Designated Response      \xe2\x80\xa2 barriers, and\n                                  Force.                                      \xe2\x80\xa2 security patrols/designated response\n                                                                              force.\n\n                                  AC3.1 Computer facilities have at least     We observed access to the computer         No relevant exceptions noted.\n                                  two levels of physical security controls.   facilities for the SMCs, ISCs, and\n                                                                              DECC Pacific to determine whether\n                                  \xe2\x80\xa2 Access to the computer facility           such access required at least two levels\n                                  requires positive identification of the     of physical security controls through\n                                  employee. Through the use of                the use of something they have (for\n                                  something they have (e.g., proxy card,      example, a proxy card or DoD\n                                  DOD identification card, etc.),             identification card); something they\n                                  something they know (e.g., pin number,      knew (for example, a personal\n                                  etc.) and /or something they are (e.g.,     identification number); or something\n                                  biometrics)                                 they were, (for example, biometrics).\n\n                                  \xe2\x80\xa2 Employees must wear their picture         We observed CS employees at the\n                                  identification cards above the waist.       SMCs, ISCs, and DECC Pacific to\n\n\n\n\n                                                                              45\n\x0c                                 Employees not in compliance will be         determine whether picture\n                                 challenged.                                 identification cards were worn above\n                                                                             the waist. We observed whether\n                                                                             security or others challenged CS\n                                                                             employees who did not comply.\n8.3   Visitors are controlled.   AC3.1 All CS site SMs must maintain         We inspected authorized access lists for    No relevant exceptions noted.\n                                 an authorized access list to the CS         a sample of employees at the SMCs,\n                                 facility.                                   ISCs, and DECC Pacific to determine\n                                                                             whether facility access was appropriate.\n\n                                 AC3.1 Personnel who do not have the         We interviewed the site SM at the           No relevant exceptions noted.\n                                 appropriate security investigation or       SMCs, ISCs, and DECC Pacific to\n                                 clearance will be escorted at all times     understand the local site-specific badge\n                                 while in the computing facility.            color codes and the process for\n                                                                             escorting visitors.\n\n                                                                             We observed visitors with badges who\n                                                                             required escort to determine whether\n                                                                             such visitors were escorted at all times.\n                                 AC3.2 Visitors to the computing             We interviewed the local security           No relevant exceptions noted.\n                                 facilities that are not on the authorized   officer and security guards for the\n                                 access list must be validated by the        SMCs, ISCs, and DECC Pacific about\n                                 local security officer, and signed in and   how they handled visitors who were not\n                                 out of the facility and will be escorted    on the authorized access list.\n                                 as required.\n                                                                             We observed security officers and\n                                                                             visitors at the SMCs, ISCs, and DECC\n                                                                             Pacific to determine whether local\n                                                                             security officers validated the visitors.\n8.4   Traditional Security       AC3.3 As part of the site certification     We interviewed FSO personnel about          No relevant exceptions noted.\n      Review.                    and accreditation process, a periodic       the system classification levels and how\n                                 Traditional Security review is              they affected the traditional security\n                                 conducted by the Certifying Authority       review process and schedule.\n                                 at a minimum every 3 years or more\n                                 frequently based on the classification      We inspected the traditional security\n                                 levels processed by the site.               review schedule the FSO provided to\n\n\n\n\n                                                                             46\n\x0c                                                                            determine whether the FSO performed\n                                                                            the reviews in accordance with the\n                                                                            system classification levels.\n\n                                                                            We inspected DITSCAP documentation\n                                                                            and the traditional security review for\n                                                                            the SMCs, ISCs, and DECC Pacific to\n                                                                            determine the date of the last traditional\n                                                                            security review.\n\nLogical Access Controls\n\nNo.   Control Objectives          Control Techniques                        Test of Operating Effectiveness              Results of Testing\n      Controls provide reasonable assurance that adequate logical access controls have been implemented.\n\n      Design Weakness:\n 9\n      CS does not have control procedures in place to ensure that adequate logical access controls have been implemented. Specifically,\n      control procedures are needed to ensure the following: (a) password configurations are in compliance with DoD STIGs and (b) all\n      access paths have been identified and controls implemented to prevent and detect access.\n9.1   Passwords, tokens, or       AC3.2 Password configuration              We inspected system-generated                Refer above to item (a) of the design\n      other devices are used to   requirements, at the system level, will   documentation for a sample of                weakness. Password configurations\n      identify and authenticate   be in compliance with appropriate         10 mainframes, 34 UNIX, 56 Windows,          were not set in accordance with the\n      users.                      current DOD STIG or JTF-GNO policy.       and 42 network devices the SMCs and          appropriate DoD STIG or JTF-GNO\n                                                                            ISCs managed to determine whether the        policy for 2 of 10 mainframes, 2 of\n                                                                            password configuration settings              34 UNIX, 6 of 56 Windows, and 2 of\n                                                                            complied with the appropriate                42 network devices tested.\n                                                                            DoD STIG or JTF-GNO policy.\n\n                                  AC3.2 Vendor-supplied default logons      We inspected system-generated                No relevant exceptions noted.\n                                  and passwords will be removed,            documentation for a sample of\n                                  changed or disabled in accordance with    10 mainframes, 34 UNIX, 56 Windows,\n                                  appropriate current DOD STIG or           and 42 network devices the SMCs and\n                                  JTF-GNO policy.                           ISCs managed to determine whether the\n                                                                            vendor-supplied default logons and\n\n\n\n\n                                                                            47\n\x0c                                                                            passwords were removed, changed,\n                                                                            or disabled in accordance with the\n                                                                            appropriate DoD STIG or JTF-GNO\n                                                                            policy.\n                                  AC3.2 Passwords are checked for           We inspected the configuration of         Of 34 UNIX servers tested, 2 did not\n                                  compliance to current DOD STIG or         password cracking software for a          have passwords checked using an\n                                  JTF-GNO policy as part of DISA            sample of 10 mainframes, 34 UNIX,         approved utility.\n                                  approved scanning tool, password          56 Windows, and 42 network devices\n                                  cracking utilities, or SRRs.              the SMCs and ISCs managed to\n                                                                            determine whether management\n                                                                            checked passwords for compliance with\n                                                                            current DoD STIG or JTF-GNO policy.\n9.2   Sanitation of equipment     AC3.8 Sanitation of equipment and         We interviewed local security             No relevant exceptions noted.\n      and media prior to          media prior to disposal or reuse are      personnel to determine whether the\n      disposal or reuse.          performed in accordance with DoD          process of disposing equipment and\n                                  Regulation 5200.1-R, CS Security          media that the SMCs, ISCs, and\n                                  Handbook, CSD Policy 06-29, CSD           DECC Pacific followed complied with\n                                  Policy 06-17 and the Assistant            DoD and local policies. We inspected\n                                  Secretary of Defense (Command,            sanitized equipment logs for a sample\n                                  Control, Communications, and              of 88 pieces of equipment and verified\n                                  Intelligence) Memorandum,                 evidence of proper sanitization and\n                                  "Disposition of Unclassified DoD          disposal.\n                                  Computer Hard Drives," dated June 4,\n                                  2001.\n\n9.3   Access paths have been      AC3.4 Access paths are identified         We interviewed CCC personnel to           No relevant exceptions noted.\n      identified and controls     within the communications topography      ensure they identified access paths and\n      implemented to prevent or   for each CS site. The communication       showed the paths on network diagrams,\n      detect access.              topography shows connections from         and to ensure controls were in place to\n                                  the wide area network into the            prevent or detect access.\n                                  perimeter point of presence down to the\n                                  individual Internet Protocol addresses    We interviewed CCC personnel to\n                                  of all devices within the enclave.        determine how and when they updated\n                                                                            network diagrams.\n\n\n\n\n                                                                            48\n\x0cAC3.4 System software is configured in    We inspected system-generated             Refer above to item (b) of the design\naccordance with the current DOD           documentation for a sample of             weakness. Of the samples tested,\nSTIG, Admin LAN CONOPS, and               10 mainframes, 34 UNIX, 56 Windows,       10 of 10 mainframes, 34 of 34 UNIX,\nDISA DPL 06-10.                           and 42 network devices that the SMCs      55 of 56 Windows, and 15 of 42\n                                          and ISCs managed. We determined           network devices were not configured\n                                          whether the operating system software     in accordance with the current\n                                          was configured in accordance with the     DoD STIG and CSD Policy.\n                                          current DoD STIG and CSD Policy.\nAC3.4 Network diagrams are developed      We interviewed CCC personnel to           No relevant exceptions noted.\nand maintained to show access paths.      ensure they identified access paths and\n                                          showed the paths on network diagrams,\n                                          and to ensure controls were in place to\n                                          prevent or detect access.\n\n                                          We interviewed CCC personnel to\n                                          determine how and when they updated\n                                          network diagrams.\nAC3.4 Operating system software is        We inspected system-generated             Refer above to item (b) of the design\nconfigured IAW the current DOD STIG       documentation for a sample of             weakness. Of samples tested,\nand CSD Policy.                           10 mainframes, 34 UNIX, 56 Windows,       10 of 10 mainframes, 34 of 34 UNIX,\n                                          and 42 network devices managed by the     55 of 56 Windows, and 15 of 42\n                                          SMCs and ISCs. We determined              network devices were not configured\n                                          whether the operating system software     in accordance with the current\n                                          was configured in accordance with the     DoD STIG and CSD Policy.\n                                          current DoD STIG and CSD Policy.\nAC3.4 Access to data files and software   We inspected system-generated             Of samples tested, 8 of 10 mainframes,\nprograms is configured IAW the current    documentation for a sample of 10          25 of 34 UNIX, 16 of 56 Windows,\nDOD STIG and CSD Policy.                  mainframes, 34 UNIX, 56 Windows,          and 1 network device were not in\n                                          and 42 network devices managed by the     accordance with DoD STIG and CSD\n                                          SMCs and ISCs to determine whether        Policy.\n                                          access to data files and software\n                                          programs is configured in accordance\n                                          with the current DoD STIG and CSD\n                                          Policy.\n\n\n\n\n                                          49\n\x0cNetworks and Telecommunications\n\nNo.    Control Objectives    Control Techniques                         Test of Operating Effectiveness         Results of Testing\n\n 10    Controls provide reasonable assurance that Networks and telecommunications are secure.\n\n10.1   Telecommunication     AC3.6 Dial-in telephone numbers are        We interviewed personnel at the SMCs,   No relevant exceptions noted.\n       defense.              not published.                             ISCs, and DECC Pacific to determine\n                                                                        who managed dial-up services, whether\n                                                                        the services were centrally managed\n                                                                        (permission for remote access) or at\n                                                                        each location, and whether the\n                                                                        telephone numbers were published.\n                             AC3.6 Telecommunications access is         We interviewed CCC personnel to         No relevant exceptions noted.\n                             controlled by the managing CCC for the     determine how they controlled and\n                             network devices, to include firewall and   managed the networks. We identified\n                             network IDSs, at all sites within          what controls were in place to ensure\n                             continental United States for              that only access to the network or\n                             unclassified wide area network. CCC        production network through the\n                             personnel have access to those networks    out-of-band network.\n                             through the out-of-band virtual private\n                             network tunnel for all networks so\n                             equipped.\n10.2   Network defense.      AC3.4 Network access paths are             We inspected a sample of                Of 10 mainframes, 2 were not\n                             configured to prevent circumvention of     10 mainframes and 42 network devices    configured in accordance with\n                             security and unauthorized access in        to determine whether configurations     DoD STIG and CSD OPS Policy.\n                             accordance with the current DOD            complied with current DoD STIGs and\n                             STIGs and CSD OPS policy.                  CSD OPS policy.\n\n                             AC3.4 Networking equipment is              We inspected a sample of 42 network     Of 42 network devices tested, 14 were\n                             configured in accordance with the          devices to determine whether            not configured in accordance with\n                             current DOD STIGs and CSD OPS              configurations complied with current    the current DoD STIG and CSD\n                             policy.                                    DoD STIGs and CSD OPS policy.           OPS Policy.\n\n\n\n\n                                                                        50\n\x0c10.3   Remote and dial-up             AC3.4 Remote access is established in      We interviewed personnel at the SMCs,     No relevant exceptions noted.\n       capabilities are controlled.   accordance with current DOD STIGs.         ISCs, and DECC Pacific to determine\n                                                                                 how remote access was established.\n                                                                                 We reviewed site policies and\n                                                                                 procedures to determine whether\n                                                                                 procedures complied with DoD STIGS.\n10.4   Actual or attempted            AC3.5 Network intrusion detection          We inspected system-generated             Of samples tested, 22 of 23 UNIX\n       unauthorized, unusual, or      systems are installed in accordance with   documentation for a sample of             and 11 of 32 Windows did not have\n       sensitive network access       the DOD STIGs and monitor unusual          23 UNIX, 32 Windows, and 28 network       host-based intrusion detection systems\n       is monitored.                  and/or inappropriate activity.             devices managed by the CCCs to            installed in accordance with the current\n                                                                                 determine whether intrusion detection     DoD STIG.\n                                                                                 systems were installed in accordance\n                                                                                 with DoD STIGs.\n                                      AC3.5 Procedures are in place for          We obtained and compared the local        No relevant exceptions noted\n                                      monitoring, investigating, and reporting   policies from the SMCs, ISCs, and\n                                      inappropriate or unusual activity. The     DECC Pacific to determine whether\n                                      DOD STIG and CS Policy outlines            personnel complied with the CSD\n                                      what activity is to be monitored for       network monitoring policy.\n                                      inappropriate or unusual activities.\n10.5   Suspicious network access      AC4.2 Suspicious access activity is        We interviewed personnel at the CCCs,     No relevant exceptions noted.\n       activity is investigated and   investigated and appropriate action        SMCs, ISCs, and DECC Pacific to\n       appropriate action is          taken in accordance with GS4 LOI           understand how they monitored\n       taken.                         07-11and CS Policy 06-02.                  suspicious activity. We inspected\n                                                                                 records for a sample of 104 suspicious\n                                                                                 activities reported from April 1, 2007,\n                                                                                 to month date, year, to verify that\n                                                                                 personnel followed the appropriate\n                                                                                 policies when reporting the suspicious\n                                                                                 activities.\n\n\n\n\n                                                                                 51\n\x0cAccess Monitoring\n\nNo.    Control Objectives        Control Techniques                    Test of Operating Effectiveness             Results of Testing\n\n       Controls provide reasonable assurance that access is monitored, suspected security violations are investigated, and\n       appropriate remedial action is taken.\n\n       Design Weakness:\n 11\n       CS does not have control procedures in place to ensure that access is monitored, suspected security violations are investigated, and\n       appropriate remedial action is taken. Specifically, control procedures are needed to ensure that audit trails are being maintained and\n       reviewed.\n\n11.1   Audit trails are          AC3.5 System auditing review is in    We interviewed DECC personnel to            Three SMCs and one ISC did not\n       maintained.               accordance with DOD STIGs. (Please    determine:                                  review audit logs based on DoD\n                                 refer to CSD Management Letter)       \xe2\x80\xa2 how they configured audit trails to       requirements.\n                                                                       capture data and which data;\n                                                                       \xe2\x80\xa2 the frequency of backups, the location\n                                                                       of the alternate media, and the retention\n                                                                       timeframe by technology; and,\n                                                                       \xe2\x80\xa2 how they conducted the review of the\n                                                                       audit trails.\n\n                                                                       We interviewed SAs and IAOs for a           Of samples tested, 4 of 34 UNIX and\n                                                                       sample of 10 mainframes, 34 UNIX,           2 of 56 Windows systems did not have\n                                                                       56 Windows, and 42 network devices          evidence that confirmed personnel\n                                                                       the SMCs and ISCs managed to                reviewed audit trails and system log\n                                                                       determine whether the auditing review       files in accordance with DoD STIGs.\n                                                                       was in accordance with DoD STIGs.\n\n                                 AC3.5 System auditing is enabled in   We interviewed SAs and IAOs for a           Refer to the design weakness above.\n                                 accordance with DOD STIGs. (Please    sample of 10 mainframes, 34 UNIX,           Of samples tested, 7 of 10 mainframes,\n                                 refer to CSD Management Letter)       56 Windows, and 42 network devices          4 of 34 UNIX, and 2 of 56 Windows\n                                                                       the SMCs and ISCs managed to                servers were not configured to audit in\n                                                                       determine whether system auditing was       accordance with DoD STIGs.\n\n\n\n\n                                                                       52\n\x0c                                                                              enabled in accordance with\n                                                                              DoD STIGs.\n                                 AC4.1 Auditing is conducted in               We interviewed SAs and IAOs for a        Of 10 mainframes, 7 did not have\n                                 accordance with DOD STIGs. (Please           sample of 10 mainframes, 34 UNIX,        auditing conducted in accordance with\n                                 refer to CSD Management Letter)              56 Windows, and 42 network devices       DoD STIGs.\n                                                                              the SMCs and ISCs managed to\n                                                                              determine whether an audit was           Of samples tested, 4 of 34 UNIX,\n                                                                              conducted in accordance with             10 o f 56 Windows, and 13 of 42\n                                                                              DoD STIGs.                               network devices did not retain audit\n                                                                                                                       logs in accordance with DoD STIGs.\n\n                                                                                                                       Of 56 Windows servers, 1 did not back\n                                                                                                                       up audit records to a separate media.\n11.2   Effective incident        SP3.4 TMS Remedy Tickets and/or              We interviewed personnel at the SMCs,    Of 247 TMS tickets, 15 had incorrect,\n       response capability has   email is used as CSD\xe2\x80\x99s incident              ISCs, and DECC Pacific to determine      incomplete, or missing questionnaires\n       been implemented.         response and reporting tool.                 how they performed incident response     at two SMCs and two ISCs.\n                                 Specifically, the following items from       and reporting.\n                                 the questionnaire must be completed:\n                                 \xe2\x80\xa2 Were redundant systems available and       We inspected a sample of 247 TMS\n                                 working? If no, explain.                     tickets at the SMCs, ISCs, and DECC\n                                 \xe2\x80\xa2 Confirm the overall impact the outage      Pacific to determine whether personnel\n                                 has on the customer mission.                 properly completed the questionnaires.\n                                 \xe2\x80\xa2 Was scheduled batch processing jobs\n                                 delayed? If yes, ensure question (2) is\n                                 completely answered.\n                                 \xe2\x80\xa2 How many customer/user calls have\n                                 been received?\n                                 \xe2\x80\xa2 Does this Incident exist in the Known\n                                 Error Database (KEDB)?\n                                 SP3.4 GS4 07-11 and CS Policy Letter         We determined whether the SMCs,          No relevant exceptions noted.\n                                 CSD 06-02 provides guidance on               ISCs, and DECC Pacific followed the\n                                 handling incidents, incident reporting       CSD Incident Handling Plan or local\n                                 structure, and prioritization of incidents   Incident Handling Plan. We\n                                 that are consistent with attributes noted    determined whether the CSD Incident\n                                 in DODI 8500.2                               Handling Plan (GS4 07-11 and\n                                                                              CS Policy Letter CSD 06-02) or the\n                                                                              local plan complied with DoD policy.\n\n\n\n\n                                                                              53\n\x0cChange Control\n\nNo.    Control Objectives        Control Techniques                        Test of Operating Effectiveness            Results of Testing\n\n 12    Controls provide reasonable assurance that changes to DISA owned assets are properly controlled.\n\n12.1   DISA initiated specific   CC1.1 Customer requested changes:         At the SMCs, ISCs, and DECC Pacific,       No relevant exceptions noted.\n       software or hardware      In accordance with CS Operational         we:\n       modifications are         Change and Configuration Management       \xe2\x80\xa2 obtained the local CCB charter;\n       authorized and the        Plan, proposed changes to hardware,       \xe2\x80\xa2 sought to understand the local CCB\n       documentation is          operating system, utility software,       process, and we documented that\n       maintained.               communications, and networks are          process;\n                                 reviewed and approved in accordance       \xe2\x80\xa2 obtained a list of the local CCB\n                                 with established criteria. Local Change   members and asked whether the site\n                                 Control Boards (CCBs) are in place at     IAM was a voting member of the CCB\n                                 each of the four SMCs and three ISCs      \xe2\x80\xa2 obtained copies of the minutes for the\n                                 to oversee the change review and          last five CCB meetings. We reviewed\n                                 approval process. The site IAM is a       and determined whether the minutes\n                                 voting member of the local CCBs.          contained discussions of approval and\n                                                                           disapproval of changes to hardware and\n                                                                           OS software; and,\n                                                                           \xe2\x80\xa2 asked how distribution and\n                                                                           implementation of software was\n                                                                           communicated to appropriate\n                                                                           organizations, and asked whether there\n                                                                           was an audit trail of software\n                                                                           distribution.\n\n                                                                           At two SMCs and one ISC, we asked\n                                                                           whether the site used Software Factory\n                                                                           (SWF) or another system to track\n                                                                           software distribution.\n\n\n\n\n                                                                           54\n\x0cCC1.1 In accordance with CS                At the SMCs, ISCs, and DECC Pacific,       No relevant exceptions noted.\nOperational Change and Configuration       we:\nManagement Plan, proposed changes          \xe2\x80\xa2 obtained the local CCB charter;\nto hardware, operating system, utility     \xe2\x80\xa2 sought to understand the local CCB\nsoftware, communications, and              process, and we documented that\nnetworks are reviewed and approved in      process;\naccordance with established criteria.      \xe2\x80\xa2 obtained a list of the local CCB\nLocal CCBs are in place at each of the     members and asked whether the site\nfour SMCs and three ISCs to oversee        IAM was a voting member of the CCB;\nthe change review and approval             \xe2\x80\xa2 obtained copies of the minutes for the\nprocess. The site IAM is a voting          last five CCB meetings. We reviewed\nmember of the local CCBs.                  and determined whether they contained\n                                           discussions of approval and disapproval\n                                           of changes to hardware and OS\n                                           software;\n                                           \xe2\x80\xa2 inquired how distribution and\n                                           implementation of software was\n                                           communicated to appropriate\n                                           organizations, and whether there was an\n                                           audit trail of software distribution.\n\n                                           At two SMCs and one ISC, we asked\n                                           whether the site used Software Factory\n                                           (SWF) or another system to track\n                                           software distribution.\nCC3.2 Verification and acceptance of       We inspected the ESCCB operating           No relevant exceptions noted.\nOS and utility software changes is         procedure document outlining the role\ndocumented and approved, and               of the ESCCB to determine whether the\nmovements are controlled. The ESCCB        ESCCB controlled utility and operating\nprovides this control for OS and utility   system changes.\nsoftware at the Corporate level. Local\nChange Management controls the             We inspected evidence to determine\nimplementation of OS and executive         whether the ESCCB documented and\nsoftware changes at the SMC and ISC        approved all ESCCB actions, and\nlevel. All ESCCB actions are               whether the minutes of the ESCCB\ndocumented and approved. Minutes of        meetings were available.\neach ESCCB meeting are published and\n\n\n\n\n                                           55\n\x0c                                 all documentation is maintained and is        We inspected the System Support\n                                 available online or upon request. The         Office product procedure installation\n                                 actual distribution IBM mainframe             guide for the mainframe systems at one\n                                 software is controlled via an ESCCB           site to determine whether the System\n                                 and Software Factory (SWF) interface.         Support Office tracked, notified all\n                                 All software distributed by the SWF is        appropriate organizations, and retained\n                                 tracked, notifications are provided to        a complete audit trail for all software\n                                 appropriate organizations and a               distributed by the SWF.\n                                 complete audit trail is retained.\n\n12.2   New and modified          CC2.1 As part of the SSOPAC process           We interviewed System Support Office       No relevant exceptions noted.\n       hardware and OS/utility   for IBM mainframe OS releases:                management personnel for the\n       software is tested and    \xe2\x80\xa2 integration testing is performed to         IBM mainframes based at\n       controlled according to   ensure functionality;                         DECC Mechanicsburg to determine\n       specific criteria.        \xe2\x80\xa2 performance and stress testing is           their process for performing integration\n                                 performed, as required, to identify           tasking, performance and stress testing,\n                                 impacts on system performance;                and security testing on IBM mainframe\n                                 \xe2\x80\xa2 security testing is performed for each      operating system releases\n                                 OS system software release. Based\n                                 upon test results, actions are initiated to\n                                 rectify identified software deficiencies,\n                                 performance impacts, and security\n                                 problems.\n                                 CC2.1 Document changes to hardware            At the SMCs, ISCs, and DECC Pacific,       No relevant exceptions noted.\n                                 and OS software in the minutes of the         we:\n                                 CCB.                                          \xe2\x80\xa2 obtained the local CCB charter;\n                                                                               \xe2\x80\xa2 obtained an understanding of the local\n                                                                               CCB process and documented that\n                                                                               process;\n                                                                               \xe2\x80\xa2 obtained a list of the local CCB\n                                                                               members and inquired whether the site\n                                                                               IAM is a voting member of the CCB;\n                                                                               \xe2\x80\xa2 obtained copies of the last five CCB\n                                                                               meeting minutes. Reviewed and\n                                                                               determined whether they contain\n                                                                               discussions of approval and disapproval\n                                                                               of changes to hardware and OS\n\n\n\n\n                                                                               56\n\x0c                                                                             software; and\n                                                                             \xe2\x80\xa2 inquired how distribution and\n                                                                             implementation of software was\n                                                                             communicated to appropriate\n                                                                             organizations, and whether there was an\n                                                                             audit trail of software distribution.\n\n                                  CC2.1 New systems, and changes to          We inspected documentation for a          No relevant exceptions noted.\n                                  existing systems, are reviewed by an       sample of 302 Category I and II\n                                  approving authority prior to connection    Changes to ensure they complied\n                                  to the network in accordance with CSD      with CS Standard Operating\n                                  Policy Letter GS4 07-16.                   Procedure 07-16.\n12.3   Emergency changes are      CC2.2 Emergency change procedures          We reviewed the DISA CS Operational       No relevant exceptions noted.\n       promptly approved.         are documented in the CS Change and        Change and Configuration\n                                  Configuration Management Plan.             Management Plan to ensure it complied\n                                                                             with DoD Instruction 8500.2.\n12.4   Movement of programs       CC3.1 Mainframe Executive Software         We inspected system documentation         No relevant exceptions noted.\n       and data among libraries   products are recorded and tracked.         from the Mechanicsburg SWF for\n       is controlled.             Inventories are maintained which           mainframe systems to determine\n                                  include version, maintenance level, out-   whether mainframe executive software\n                                  of-support date, and documentation.        programs were recorded and tracked,\n                                                                             and whether an inventory was\n                                                                             maintained that included the version,\n                                                                             maintenance level, out-of-support date,\n                                                                             and related documentation\n\n12.5   Use of public domain and   CC1.2 Use of personal and public           We inspected a sample of 80 desktop       Of 80 desktop computers, 9 contained\n       personal software is       domain software on Government              computers to verify personal and public   unauthorized software at two SMCs\n       restricted.                Equipment is in accordance with            domain software was in accordance         and one ISC.\n                                  DODD 8500.1 and CSD OPS policy             with DOD Instruction 8500.1 and CSD\n                                  06-03.                                     OPS Policy 06-03.\n\n\n\n\n                                                                             57\n\x0cService Continuity\n\nNo.    Control Objectives        Control Techniques                         Test of Operating Effectiveness            Results of Testing\n\n       Controls provide reasonable assurance that procedures and controls are in place to prevent or minimize unexpected\n 13\n       interruptions.\n\n13.1   Data and program backup   SC2.1 As a standard service, each site     We interviewed computer center             No relevant exceptions noted.\n       procedures have been      has an off-site and transportation         operations staff at the SMCs, ISCs, and\n       implemented.              agreement. (The customer must agree        DECC Pacific to determine their\n                                 to pay for additional services not         off-site and transportation requirements\n                                 included in the standard package and       for backup media.\n                                 documented in the SLA.)\n                                                                            We inspected the off-site transportation\n                                                                            agreement for the SMCs, ISCs, and\n                                                                            DECC Pacific to determine whether\n                                                                            personnel transported backup media to\n                                                                            the off-site location in accordance with\n                                                                            SLA requirements.\n                                 SC2.1 Standard data and program            We inspected the off-site transportation   No relevant exceptions noted.\n                                 backup procedures (outlined in CS          agreement for SMCs, ISCs, and\n                                 Policy Ltr 06-01) are conducted in         DECC Pacific to determine whether the\n                                 accordance with the appropriate DOD        agreement included:\n                                 STIGs, SLA requirements and CSD            \xe2\x80\xa2 weekly full data backup,\n                                 Policy Ltr 06-01. (The customer must       \xe2\x80\xa2 incremental daily backup,\n                                 agree to pay for additional services not   \xe2\x80\xa2 detailed back up procedures,\n                                 included in the standard package and       \xe2\x80\xa2 a plan for rotating backup media, and\n                                 documented in the SLA.)                    \xe2\x80\xa2 storage and retention procedures for\n                                                                            backup media.\n\n\n\n\n                                                                            58\n\x0c13.2   Environmental Controls   SC2.2 Computing facilities and support      At the SMCs, ISCs, and DECC Pacific,        No relevant exceptions noted.\n       have been implemented.   areas have automatic notification of        we interviewed data center personnel\n                                activation of smoke detectors that alarm    and inspected the data center to\n                                locally and at supporting fire              determine whether the following\n                                department.                                 environmental controls were in place:\n                                \xe2\x80\xa2 Some administration areas have            \xe2\x80\xa2 automatic notification of activation of\n                                automatic notification of activation of     smoke detectors that alarms locally and\n                                smoke detectors. Some of these alarm        at the supporting fire department,\n                                locally; some alarm locally and at the      \xe2\x80\xa2 annual fire inspections,\n                                supporting fire department.                 \xe2\x80\xa2 automatic activation of fire\n                                \xe2\x80\xa2 Fire inspections are made based on        suppression systems, and\n                                local site rules.                           \xe2\x80\xa2 administration areas either having\n                                \xe2\x80\xa2 Computing facilities and support areas    automatic activation of fire suppression\n                                have automatic activation of fire           systems or hand-held extinguishers.\n                                suppression systems.\n                                \xe2\x80\xa2 Administration areas have either\n                                automatic activation of fire suppression\n                                systems or hand-held extinguishers\n                                located throughout the area.\n                                SC2.2 Computer facilities have:             At the SMCs, ISCs, and DECC Pacific,        Temperature and humidity gauges\n                                \xe2\x80\xa2 automatic humidity and temperature        we interviewed data center personnel        were not working properly at one ISC.\n                                controls systems that alarm when            and inspected the data center to\n                                established humidity and temperature        determine whether the following\n                                conditions are exceeded;                    environmental controls were in place:\n                                \xe2\x80\xa2 a master power switch located at or       \xe2\x80\xa2 automatic humidity and temperature\n                                near the main entrance, which is labeled    controls systems that alarm;\n                                and protected by a cover to prevent         \xe2\x80\xa2 a master power switch located at or\n                                accidental shut-off;                        near the main entrance, labeled and\n                                \xe2\x80\xa2 automatic voltage control systems that    protected by a cover to prevent\n                                alarm if the voltage fluctuates beyond      accidental shut-off;\n                                established safe operations levels;         \xe2\x80\xa2 automatic voltage control systems that\n                                \xe2\x80\xa2 a minimum of two electrical feeds;        alarm;\n                                \xe2\x80\xa2 battery powered uninterrupted power       \xe2\x80\xa2 a minimum of two electrical feeds;\n                                system to provide sufficient power to all   \xe2\x80\xa2 battery powered uninterrupted power\n                                systems in the computer room to allow       supplies and voltage regulators; and\n                                for at least 20 minutes of operations       \xe2\x80\xa2 backup generators that are tested\n                                \xe2\x80\xa2 backup generators that are set to         monthly and set to automatically start.\n\n\n\n\n                                                                            59\n\x0c                                 automatically start-up and generate\n                                 power when commercial power fails.\n                                 The generators are tested monthly for\n                                 operations and power generations.\n                                 Additional fuel and spare parts are on\n                                 hand to provide for sustained\n                                 operations.\n13.3   IT Hardware maintenance   SC2.4 Policies and procedures for IT     We reviewed IT equipment                 No relevant exceptions noted.\n       controls have been        equipment maintenance exist and are      maintenance policies and procedures to\n       implemented.              up-to-date.                              determine their adequacy for the\n                                                                          current operating environment of the\n                                                                          computing facility.\n                                 SC2.4 Routine periodic preventive        We interviewed computer operations       No relevant exceptions noted.\n                                 maintenance on IT equipment is           personnel at the SMCs, ISCs, and\n                                 scheduled and performed in accordance    DECC Pacific to determine the process\n                                 with vendor specifications and in a      for scheduling preventative\n                                 manner that minimizes the impact on      maintenance on facilities equipment\n                                 operations or as provided for in the     and tracking completion of scheduled\n                                 maintenance contract.                    maintenance.\n\n                                 SC2.4 Regular and unscheduled            We interviewed computer operations       No relevant exceptions noted.\n                                 maintenance on IT equipment is           personnel at the SMCs, ISCs, and\n                                 performed and documented.                DECC Pacific to determine the process\n                                                                          for scheduling maintenance on\n                                                                          IT equipment and documenting\n                                                                          completion of scheduled/unscheduled\n                                                                          maintenance.\n\n                                 SC2.4 Flexibility exists in the data     We obtained and reviewed the schedule    No relevant exceptions noted.\n                                 processing operations to accommodate     for routine IT equipment preventive\n                                 regular and a reasonable amount of       maintenance.\n                                 unscheduled maintenance.\n                                                                          We interviewed the Facilities Manager\n                                                                          to determine whether personnel\n                                                                          documented the unscheduled\n                                                                          maintenance on IT hardware.\n\n\n\n\n                                                                          60\n\x0c                                                                               We requested any unscheduled\n                                                                               maintenance records that occurred in\n                                                                               the previous 6 months.\n\n                                    SC2.4 Spare or backup hardware is          We interviewed computer operations        No relevant exceptions noted.\n                                    used to provide a high level of system     personnel for the SMCs, ISCs, and\n                                    availability for critical and sensitive    DECC Pacific to determine whether\n                                    applications.                              spare or backup hardware inventory\n                                                                               existed.\n\n                                    SC2.4 Records are maintained on the        We obtained and reviewed the schedule     No relevant exceptions noted.\n                                    actual performance in meeting IT           for routine IT equipment preventive\n                                    equipment service schedules.               maintenance.\n\n                                                                               We obtained and reviewed the\n                                                                               IT hardware maintenance records. We\n                                                                               compared the maintenance records to\n                                                                               the maintenance service schedule and\n                                                                               determined whether the records were in\n                                                                               accordance to the service schedule.\n13.4   Staff have been trained to   SC2.3 Data center staff receive periodic   We interviewed the Security Manager       No relevant exceptions noted.\n       respond to emergencies.      training in emergency fire, flooding,      to determine whether employees\n                                    and alarm incident procedures.             received initial and annual training in\n                                                                               emergency response.\n\n                                                                               We determined how the site keeps track\n                                                                               of employees\xe2\x80\x99 understanding and\n                                                                               training of emergency response\n                                                                               procedures.\n                                    SC2.3 Emergency response procedures        We inspected emergency response           No relevant exceptions noted.\n                                    are documented.                            procedures for the SMCs, ISCs, and\n                                                                               DECC Pacific to determine whether\n                                                                               procedures were documented.\n\n\n\n\n                                                                               61\n\x0c                              SC2.3 Emergency procedures are           We inspected emergency plans and test      One ISC did not perform an annual fire\n                              periodically tested.                     results for the SMCs, ISCs, and            drill.\n                                                                       DECC Pacific to determine whether\n                                                                       personnel tested emergency procedures\n                                                                       annually and documented the test\n                                                                       results.\n                              SC2.3 Data center employees have         We interviewed the SM at the               No relevant exceptions noted.\n                              received training and understand their   SMCs, ISCs, and DECC Pacific to\n                              emergency roles and responsibilities.    determine whether employees received\n                                                                       initial and annual training in emergency\n                                                                       response. We determined how the site\n                                                                       tracked employees\xe2\x80\x99 understanding and\n                                                                       training of emergency response\n                                                                       procedures.\n13.5   Facility maintenance   SC2.4 Flexibility exists in the data      We interviewed the Facilities Manager     No relevant exceptions noted.\n       controls have been     processing operations to accommodate     at the SMCs, ISCs, and DECC Pacific\n       implemented.           regular and a reasonable amount of       to determine whether there was backup\n                              unscheduled maintenance.                 facilities equipment to accommodate\n                                                                       scheduled/unscheduled maintenance.\n                                                                       We interviewed the Facilities Manager\n                                                                       to determine who performed the\n                                                                       scheduled/unscheduled maintenance.\n                                                                       We verified with the Base Support\n                                                                       Agreement/Interagency Support\n                                                                       Agreement to determine whether\n                                                                       authorized personnel performed\n                                                                       maintenance.\n\n\n\n\n                                                                       62\n\x0cSC2.4 Records are maintained on the        We obtained and reviewed the schedule     No relevant exceptions noted.\nactual performance in meeting facilities   for routine facility equipment\nequipment service schedules.               preventive maintenance.\n\n                                           We obtained and reviewed the facilities\n                                           maintenance records (for example,\n                                           records for generator/fuel tanks,\n                                           batteries/Uninterrupted Power Supply,\n                                           and chillers). We compared the\n                                           maintenance records to the maintenance\n                                           service schedule obtained and\n                                           determined whether the records were in\n                                           accordance to the service schedule.\nSC2.4 Regular and unscheduled              We interviewed the Facilities Manager     No relevant exceptions noted.\nmaintenance on facilities equipment is     at the SMCs, ISCs, and DECC Pacific\nperformed and is documented.               and determined whether personnel\n                                           documented regular/unscheduled\n                                           maintenance on facility equipment.\n\n                                           We obtained and reviewed the facilities\n                                           maintenance records (for example,\n                                           records for generator/fuel tanks,\n                                           batteries/UPS, and chillers). We\n                                           requested any unscheduled\n                                           maintenance records that occurred\n                                           within the previous 6 months.\n\nSC2.4 Routine periodic preventive          We interviewed the Facilities Manager     No relevant exceptions noted.\nmaintenance on facilities equipment is     at the SMCs, ISCs, and DECC Pacific\nscheduled and performed in accordance      to determine who performed routine\nwith vendor specifications and in a        periodic preventive maintenance on\nmanner that minimizes the impact on        facilities equipment and whether\noperations.                                authorized persons performed\n                                           maintenance in accordance with the\n                                           Base Support Agreement/Interagency\n                                           Support Agreement.\n\n\n\n\n                                           63\n\x0c\x0cSection IV: Supplemental Information Provided by DISA\n\n\n\n\n                         65\n\x0c\x0cThe DISA 2005 Statement on Auditing Standards No. 70 project included some\nconditions pertaining to security systems and procedures that are beyond the purview of\nCS. The following is a summary of those issues that continue to require support from\nexternal sources and were identified prior to inception of the 2006 project.\n\n2005 Results of Testing Requiring DoD or DISA Enterprise Solutions\n\nAudit Trails. The DoD Office of Inspector General recommended that the CS Director\nimplement more consistent procedures across the enterprise to create, monitor and\nreview, protect, and maintain CS system audit trails in order to comply with the\nrequirements of DoD Instruction 8500.2 and STIGs. In addition, it was recommended\nthat CS implement and configure software audit capabilities such that security personnel\ncould extract critical events from system data on a daily basis; conduct in-depth, daily\nreviews of all audit trails for suspicious activity; and investigate security incidents with\nautomated access to all audit data.\n\n        Status: DISA does not currently have the automated tools required to meet these\nobjectives. Implementation of the appropriate programs is pending implementation\nresources and technical recommendations from the DISA FSO.\n\nHost-Based Intrusion Detection Systems. It was recommended that the CS Director\ndeploy host-based intrusion detection systems software on all major application servers,\nnetwork management assets, and domain name servers, in accordance with DoD\nInstruction 8500.2 and the STIGs.\n\n        Status: DoD has awarded a contract for an enterprise-wide, host-based security\nsolution. CS is implementing the DoD-wide, host-based security solution.\n\n\n\n\n                                             67\n\x0c\x0cScope\nDefense Enterprise Computing Centers in Scope of This Report\n\n  Systems Management Centers\n    Mechanicsburg, Pennsylvania\n    Montgomery, Alabama\n    Ogden, Utah\n    Oklahoma City, Oklahoma\n\n  Infrastructure Services Centers\n     Columbus, Ohio\n     San Antonio, Texas\n     St. Louis, Missouri\n\n  Pacific, Pearl Harbor, Hawaii\n\n\n\n\n                                      69\n\x0c\x0cAcronyms and Abbreviations\nBMC       Business Management Center\nCCC       Communications Control Center\nCIO       Chief Information Officer\nCS        Center for Computing Services\nDAA       Designated Approving Authority\nDECC      Defense Enterprise Computing Center\nDISA      Defense Information System Agency\nDITSCAP   Defense Information Technology Certification and Accreditation Process\nDoD       Department of Defense\nFSO       Field Security Operations\nGIG       Global Information Grid\nGSA       General Services Administration\nIA        Information Assurance\nIAM       Information Assurance Manager\nIAO       Information Assurance Officer\nIAR       Information Assurance Review\nIDS       Intrusion Detection System\nISC       Infrastructure Services Center\nIT        Information Technology\nMAC       Mission Assurance Category\nMPS       Manpower, Personnel, and Security\nOMB       Office of Management and Budget\nPE        Processing Element\nPOA&M     Plan of Action and Milestones\nSA        System Administrator\nSLA       Service-Level Agreement\nSM        Security Manager\nSMC       System Management Center\nSRR       Security Readiness Review\nSSAA      System Security Authorization Agreement\nSSO       System Support Office\nSTIG      Security Technical Implementation Guide\nVMS       Vulnerability Management System\n\n\n\n\n                                      71\n\x0c\x0cReport Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Commands\nCommander, U.S. Joint Forces Command\n  Inspector General, U.S. Joint Forces Command\nCommander, U.S. Strategic Command\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\nGovernment Accountability Office\n\n\n\n\n                                          73\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Finance, and Accountability,\n  Committee on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\nRelations, Committee on Government Reform\n\n\n\n\n                                        74\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service, in conjunction with contract auditors from\nErnst & Young LLP, prepared this report. Personnel of the Department of\nDefense Office of Inspector General who contributed to the report are listed\nbelow.\n\nPatricia A. Marsh\nPatricia C. Remington\nRichard Ng\nG. Marshall Grimes\nSuzette L. Luecke\nChi H. Lam\nTomasa Pack\nPatricia Joyner\nWen-Tswan Chen\nJenny R. Ansel\nCatherine Cervantes\nKenneth J. Bensman\nJustin L. Symonds\nRobert Shell\nKandasamy Selvavel\nEric Bisignano\nAnh Tran\nEdward Kell\nJaime A. Bobbio\nMinh Q. Tran\nPatricia Papas\nErin S. Hart\n\x0c\x0c'